Description
The FL3R Accessibility Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fl3raccessibilitysuite shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The FL3R Accessibility Suite plugin for WordPress suffers from a stored cross‑site scripting flaw that allows an attacker to inject arbitrary JavaScript into content that is subsequently rendered to any user who views the affected page. The vulnerability is caused by inadequate input sanitization and output escaping when the fl3raccessibilitysuite shortcode processes user‑supplied attributes. Once the malicious payload is stored, it executes in the browser of every visitor to the injected page, compromising the confidentiality, integrity, and availability of user interactions with the site.

Affected Systems

This issue affects the FL3R Accessibility Suite plugin, developed by armandofiore, in all releases up to and including version 1.4. The plugin runs on WordPress installations that enable the fl3raccessibilitysuite shortcode within posts or pages. Any site that has installed a vulnerable version of this plugin is susceptible.

Risk and Exploitability

The CVSS score of 6.4 marks the vulnerability as moderate, but the low EPSS score of less than 1% indicates that it is unlikely to be widely exploited at present. The flaw is not listed in the CISA KEV catalog, further suggesting limited real‑world impact as of now. An attacker must be authenticated with at least contributor privileges to craft and inject the malicious payload; the exploit typically occurs through the shortcode’s attribute fields. Once the payload is stored, it can affect all users who visit the affected page.

Generated by OpenCVE AI on April 22, 2026 at 01:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the FL3R Accessibility Suite plugin to the latest version (or remove it if no longer needed);
  • Disable or remove the fl3raccessibilitysuite shortcode from content until the issue is patched, or restrict contributor access so they cannot edit pages containing the shortcode;
  • Audit existing pages for injected script payloads and clean or replace any malicious content stored via the shortcode.

Generated by OpenCVE AI on April 22, 2026 at 01:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28758 The FL3R Accessibility Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fl3raccessibilitysuite shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 08 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Fl3r
Fl3r fl3r Accessibility Suite
CPEs cpe:2.3:a:fl3r:fl3r_accessibility_suite:*:*:*:*:*:wordpress:*:*
Vendors & Products Fl3r
Fl3r fl3r Accessibility Suite

Fri, 27 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 07:45:00 +0000

Type Values Removed Values Added
Description The FL3R Accessibility Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fl3raccessibilitysuite shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title FL3R Accessibility Suite <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via fl3raccessibilitysuite Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Fl3r Fl3r Accessibility Suite
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:45:37.888Z

Reserved: 2025-06-25T21:51:41.605Z

Link: CVE-2025-6689

cve-icon Vulnrichment

Updated: 2025-06-27T14:11:10.561Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-27T08:15:23.440

Modified: 2025-07-08T14:49:57.463

Link: CVE-2025-6689

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:15:07Z

Weaknesses