Description
The SimplyConvert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'simplyconvert_hash' option in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-12-12
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) that can be executed by other users when an administrator chooses a malicious value for the simplyconvert_hash option in the SimplyConvert WordPress plugin.
Action: Apply Plugin Update
AI Analysis

Impact

The vulnerability arises from insufficient sanitization and output escaping of the simplyconvert_hash option within the SimplyConvert plugin for WordPress. An attacker who can log in with administrator privileges can submit a crafted value for this option, which is then stored and rendered on pages that reference the option. When a user visits such a page, the injected script runs in the browser, potentially allowing the attacker to steal credentials, inject malware, or deface the site. The impact is confined to browsers that load the affected page and requires the attacker to possess administrator access to the site.

Affected Systems

All instances of the SimplyConvert plugin by jonahsc for WordPress with versions up to and including 1.0 are affected. The flaw exists in the plugin’s option handling and does not rely on specific WordPress core versions beyond the normal plugin compatibility.

Risk and Exploitability

The CVSS score of 4.4 indicates low severity, and the EPSS score of less than 1% suggests that exploitation is unlikely at the macro scale, especially since the attacker must obtain administrator privileges on the target WordPress installation. The vulnerability is not listed in the CISA KEV catalog, further reducing the immediacy of a known widespread exploit. Nonetheless, sites with compromised or weakly protected administrator accounts remain at risk of XSS-mediated attacks that can affect authenticated users.

Generated by OpenCVE AI on April 22, 2026 at 16:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SimplyConvert plugin to the latest available version or uninstall the plugin if an upgrade is not available.
  • Limit administrator privileges to a trusted set of users and consider disabling or removing the simplyconvert_hash option to eliminate the injection vector.
  • Implement a Web Application Firewall or enforce a strict Content Security Policy that blocks or sanitizes injected scripts on the site to mitigate the impact of the stored XSS attack.

Generated by OpenCVE AI on April 22, 2026 at 16:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The SimplyConvert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'simplyconvert_hash' option in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title SimplyConvert <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'simplyconvert_hash' Option
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:44:12.011Z

Reserved: 2025-12-04T16:52:11.423Z

Link: CVE-2025-14048

cve-icon Vulnrichment

Updated: 2025-12-15T18:07:27.850Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T04:15:46.730

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14048

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T16:15:21Z

Weaknesses