Impact
The vulnerability is a Cross‑Site Scripting flaw present in the WP Emmet plugin for WordPress versions 0.3.4 and earlier. It permits an authenticated site administrator to inject arbitrary script into the plugin's output, which will then execute in the context of any visitor who views that content. This can lead to cookie theft, defacement, or the execution of malicious code as the site’s administrator.
Affected Systems
Affected systems include any WordPress installation that has the WP Emmet plugin version 0.3.4 or earlier installed. The plugin is distributed by rewish under the name WP Emmet. No other plugins or WordPress components are indicated as impacted.
Risk and Exploitability
The CVSS score of 5.9 indicates a moderate severity, and an EPSS score of less than 1 % suggests that the probability of exploitation in the wild is low. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires administrative access to the plugin's interface and the ability to input malicious payloads that are rendered in the browser. Because the escape or sanitization routines were insufficient, a crafted input can trigger the XSS once the affected content is loaded by a victim. The attack vector is therefore confined to privileged users but can affect all site visitors.
OpenCVE Enrichment