Description
The AI Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aife_post_meta' shortcode in all versions up to, and including, 1.0.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-12-12
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The AI Feeds plugin for WordPress contains a stored cross‑site scripting flaw in the 'aife_post_meta' shortcode. Viewers of pages that use this shortcode can be presented with malicious script code when a contributor or higher‑privileged user injects a payload. This flaw arises from inadequate input sanitization and output escaping, allowing the attacker to execute arbitrary client‑side code in the context of other site visitors, potentially leading to session hijacking, defacement, or phishing.

Affected Systems

All installations of AI Feeds version 1.0.22 or earlier are affected. The plugin is distributed by Soportecibeles and can be run on any WordPress site that includes this version of the plugin.

Risk and Exploitability

The vulnerability is rated CVSS 6.4, indicating moderate severity. EPSS is less than 1%, suggesting a low probability of exploitation at the time of assessment, and the flaw is not listed in CISA’s KEV catalog. However, because it is a stored XSS that requires authenticated Contributor‑level access, attackers who can obtain that permission could easily inject and persist malicious scripts that will run for all visitors of affected pages. Successful exploitation could compromise user accounts and the integrity of the site’s content.

Generated by OpenCVE AI on April 20, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AI Feeds plugin to a version newer than 1.0.22, which contains the missing input sanitization and output escaping.
  • Restrict the Contributor role or any role that can edit posts to only trusted users, thereby limiting the pool of attackers who can inject the malicious payload.
  • If an upgrade is not immediately possible, disable the problematic shortcode by removing it from posts or by using a plugin that sanitizes shortcode content before rendering.

Generated by OpenCVE AI on April 20, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 11:30:00 +0000

Type Values Removed Values Added
Description The AI Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aife_post_meta' shortcode in all versions up to, and including, 1.0.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title AI Feeds <= 1.0.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'aife_post_meta' Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:25:31.972Z

Reserved: 2025-12-04T14:34:19.986Z

Link: CVE-2025-14030

cve-icon Vulnrichment

Updated: 2025-12-12T14:31:47.193Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T12:15:45.897

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14030

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:30:18Z

Weaknesses