Description
The Key Figures plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kf_field_figure_default_color_render function in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2026-01-07
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The Key Figures WordPress plugin contains a Stored Cross-Site Scripting flaw that allows an authenticated administrator to inject arbitrary JavaScript via the kf_field_figure_default_color_render function. Because the plugin does not properly sanitize or escape user input, the injected script will run in the browser of any user who views a page that contains the malicious figure value, enabling the attacker to steal session data, deface content or potentially redirect users to malicious sites. This vulnerability exposes the confidentiality and integrity of site data to any authenticated user with administrative privileges.

Affected Systems

All installations of the Key Figures plugin up to and including version 1.1 are affected when used on a multi‑site WordPress network or when the unfiltered_html capability has been disabled. The issue is limited to WordPress environments that deploy this plugin in those specific configurations.

Risk and Exploitability

The CVSS score of 4.4 places the flaw in the moderate range, while the EPSS score of less than 1% indicates a low likelihood of exploitation at this time. The vulnerability is not currently listed in the CISA KEV catalog. In practice, an attacker would need access to an administrator account in the affected WordPress network to execute the stored payload, implying that credential compromise or social engineering could be the primary exploitation path.

Generated by OpenCVE AI on April 20, 2026 at 21:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Key Figures plugin to a release newer than 1.1 that contains the XSS fix.
  • Disable unfiltered_html for administrators on multisite installations or configure it to allow only trusted accounts.
  • Delete or sanitize any figure entries that contain suspicious or script‑based default color values.
  • Regularly audit plugin configuration files and perform vulnerability scanning to detect residual XSS content.

Generated by OpenCVE AI on April 20, 2026 at 21:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 07:30:00 +0000

Type Values Removed Values Added
Description The Key Figures plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kf_field_figure_default_color_render function in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Key Figures <= 1.1 - Authenticated (Admin+) Stored Cross-Site Scripting via kf_field_figure_default_color_render
Weaknesses CWE-80
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:33:10.803Z

Reserved: 2025-12-16T16:18:36.518Z

Link: CVE-2025-14792

cve-icon Vulnrichment

Updated: 2026-01-07T14:50:00.787Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T12:16:56.177

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14792

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:30:18Z

Weaknesses