Description
The Mmm Unity Loader plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘attributes’ parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-08-02
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross–Site Scripting that allows a contributor‑level attacker to inject arbitrary scripts into pages and have them executed for any user who views the page
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in the Mmm Unity Loader plugin permits the storage of malicious JavaScript through the attributes parameter. When a page that contains the injected content is viewed, the browser executes the script, which could be used to steal session cookies, deface content, or perform other client‑side attacks. The impact is limited to the client’s browser execution context, but it can affect all visitors to the offending page.

Affected Systems

All versions of the Mmm Unity Loader WordPress plugin up to and including 1.0, distributed by mmanifesto and listed on the WordPress plugin repository. The issue applies to any WordPress installation that has these plugins installed and permits Contributor‑level or higher users to edit content via the plugin’s attributes field.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate overall risk. An EPSS score of less than 1% suggests exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to be logged in to WordPress with Contributor or higher privileges and to use the plugin’s attributes input to store malicious code. Once the code is stored, it will run automatically for any user who accesses the affected page, making it a stealthy but client‑side attack vector.

Generated by OpenCVE AI on April 22, 2026 at 14:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Mmm Unity Loader plugin to the latest version that removes the vulnerable attributes field.
  • If an upgrade is not yet available, delete or deactivate the plugin to eliminate the attack surface.
  • Restrict or remove Contributor‑level access on the WordPress site and audit existing content for injected scripts to prevent malicious code from remaining on live pages

Generated by OpenCVE AI on April 22, 2026 at 14:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23430 The Mmm Unity Loader plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘attributes’ parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 05 Aug 2025 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Mediamanifesto
Mediamanifesto mmm Unity Loader
Wordpress
Wordpress wordpress
Vendors & Products Mediamanifesto
Mediamanifesto mmm Unity Loader
Wordpress
Wordpress wordpress

Mon, 04 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 02 Aug 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Mmm Unity Loader plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘attributes’ parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Mmm Unity Loader <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via attributes Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Mediamanifesto Mmm Unity Loader
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:44:01.444Z

Reserved: 2025-07-30T22:51:26.895Z

Link: CVE-2025-8399

cve-icon Vulnrichment

Updated: 2025-08-04T13:43:29.782Z

cve-icon NVD

Status : Deferred

Published: 2025-08-02T09:15:48.340

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8399

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T14:45:19Z

Weaknesses