Description
The binlayerpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2025-03-12
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated Stored Cross‑Site Scripting
Action: Update Plugin
AI Analysis

Impact

The binlayerpress WordPress plugin is vulnerable to stored cross‑site scripting. When an administrator or higher‑privileged user configures certain settings, the plugin fails to sanitize or escape the input and stores the data unfiltered. Any user who subsequently views a page that incorporates those settings will have the malicious scripts executed in the context of the site. Because the vulnerability is stored, it can affect many users over time.

Affected Systems

The affected product is the Binlayerpress plugin for WordPress, specifically all releases up to and including version 1.1. The flaw only manifests in multi‑site WordPress installations where the unfiltered_html capability has been disabled. Administrators with elevated privileges in such environments are at risk.

Risk and Exploitability

The CVSS score of 4.4 indicates a moderate risk, and the EPSS score of less than 1% suggests that exploitation is unlikely to be widespread at present. The vulnerability is not listed in the CISA KEV catalog, further supporting a lower threat likelihood. However, because any authenticated administrator can inject code, the potential impact includes session hijacking, defacement, or credential theft for site visitors. An attacker would need administrative credentials and access to the site’s backend; once mitigated, the threat is effectively removed.

Generated by OpenCVE AI on April 21, 2026 at 22:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Binlayerpress plugin to a version newer than 1.1 if one is available
  • If an update is not available, disable or delete the plugin to eliminate the attack surface
  • If you must keep the plugin, restrict administrative privileges to trusted users and apply a content‑security‑policy to mitigate script execution in the browser

Generated by OpenCVE AI on April 21, 2026 at 22:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7484 The binlayerpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
History

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00028}

 epss

{'score': 0.0004}

Mon, 07 Apr 2025 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Gnarf
Gnarf binlayerpress
CPEs cpe:2.3:a:gnarf:binlayerpress:*:*:*:*:*:wordpress:*:*
Vendors & Products Gnarf
Gnarf binlayerpress

Wed, 12 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Description The binlayerpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title binlayerpress <= 1.1 - Authenticated (Admin+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Gnarf Binlayerpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:50:52.055Z

Reserved: 2025-03-06T21:36:22.259Z

Link: CVE-2025-2076

cve-icon Vulnrichment

Updated: 2025-03-12T13:32:25.612Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-12T04:15:18.800

Modified: 2025-04-07T20:51:08.497

Link: CVE-2025-2076

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:00:26Z

Weaknesses