Description
The ProcessingJS for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pjs4wp' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-07-04
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

For the ProcessingJS for WordPress plugin, a vulnerability allows authenticated attackers with contributor‑level or higher privileges to embed malicious scripts into pages through the ‘pjs4wp’ shortcode. This flaw arises from insufficient sanitization of user supplied attributes and lack of proper output escaping, giving attackers the ability to store arbitrary JavaScript that executes whenever any visitor loads the affected page. The impact is primarily client‑side compromise, including credential theft, session hijacking, or defacement of the site.

Affected Systems

WordPress users running the ProcessingJS for WordPress plugin from cageehv are affected. All released versions up to and including 1.2.2 are vulnerable; versions newer than 1.2.2 contain the fix.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity vulnerability. EPA on the low EPSS score of less than 1% suggests that real‑world exploitation is currently rare, and the vulnerability is not listed in the CISA KEV catalog. However, the requirement of contributor or superior access means that any user who gains such permissions can inject harmful code that would persist across all site visitors, making this a significant risk when access control is insufficient or roles are overly permissive.

Generated by OpenCVE AI on April 20, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ProcessingJS for WordPress plugin to the latest version (≥ 1.2.3) that addresses the XSS flaw
  • Disable or remove the ‘pjs4wp’ shortcode from existing pages to eliminate the stored code injection vector
  • Restrict contributor‑level access or review role permissions so that only trusted users can use the shortcode

Generated by OpenCVE AI on April 20, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19914 The ProcessingJS for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pjs4wp' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 07 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 04 Jul 2025 02:30:00 +0000

Type Values Removed Values Added
Description The ProcessingJS for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pjs4wp' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title ProcessingJS for WordPress <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:52.148Z

Reserved: 2025-06-12T20:15:19.679Z

Link: CVE-2025-6039

cve-icon Vulnrichment

Updated: 2025-07-07T14:40:56.493Z

cve-icon NVD

Status : Deferred

Published: 2025-07-04T03:15:21.910

Modified: 2026-06-17T10:01:02.780

Link: CVE-2025-6039

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:30:19Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')