Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Benjamin Chris WP Editor.md – The Perfect WordPress Markdown Editor wp-editormd allows Stored XSS.This issue affects WP Editor.md – The Perfect WordPress Markdown Editor: from n/a through <= 10.2.1.
Published: 2025-04-09
Score: 5.9 Medium
EPSS: 1.0% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an improper neutralization of input during web page generation that allows stored cross‑site scripting in the WP Editor.md – The Perfect WordPress Markdown Editor plugin. The flaw relies on a classic input validation weakness (CWE‑79).

Affected Systems

The defect exists in the WP Editor.md – The Perfect WordPress Markdown Editor plugin for WordPress, affecting all releases from unspecified prior versions through version 10.2.1. Administrators running a vulnerable instance of the plugin on any WordPress installation are impacted.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, the EPSS score of < 1% shows a very low but non‑zero probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on May 1, 2026 at 10:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Editor.md to a version newer than 10.2.1 to remove the flaw
  • If upgrading cannot be performed immediately, disable or remove the plugin from the installation
  • Apply appropriate input sanitization or restrict editor access to trusted administrators only

Generated by OpenCVE AI on May 1, 2026 at 10:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10660 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Benjamin Chris WP Editor.md &#8211; The Perfect WordPress Markdown Editor allows Stored XSS. This issue affects WP Editor.md &#8211; The Perfect WordPress Markdown Editor: from n/a through 10.2.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Benjamin Chris WP Editor.md &#8211; The Perfect WordPress Markdown Editor allows Stored XSS. This issue affects WP Editor.md &#8211; The Perfect WordPress Markdown Editor: from n/a through 10.2.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Benjamin Chris WP Editor.md – The Perfect WordPress Markdown Editor wp-editormd allows Stored XSS.This issue affects WP Editor.md – The Perfect WordPress Markdown Editor: from n/a through <= 10.2.1.
Title WordPress WP Editor.md – The Perfect WordPress Markdown Editor <= 10.2.1 - Cross Site Scripting (XSS) Vulnerability WordPress WP Editor.md – The Perfect Markdown Editor plugin <= 10.2.1 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 09 Apr 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 09 Apr 2025 16:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Benjamin Chris WP Editor.md &#8211; The Perfect WordPress Markdown Editor allows Stored XSS. This issue affects WP Editor.md &#8211; The Perfect WordPress Markdown Editor: from n/a through 10.2.1.
Title WordPress WP Editor.md – The Perfect WordPress Markdown Editor <= 10.2.1 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:03.928Z

Reserved: 2025-03-26T09:23:26.401Z

Link: CVE-2025-31035

cve-icon Vulnrichment

Updated: 2025-04-09T17:39:35.159Z

cve-icon NVD

Status : Deferred

Published: 2025-04-09T17:15:35.470

Modified: 2026-04-23T15:27:35.140

Link: CVE-2025-31035

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:00:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')