Description
The eID Easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.9.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-09-11
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via authenticated Contributor access
Action: Patch plugin
AI Analysis

Impact

eID Easy, a WordPress plugin, suffers a stored cross‑site scripting flaw triggered by the id query parameter. Because the plug‑in fails to sanitize user input or escape output, authenticated users with Contributor or higher privileges can insert arbitrary JavaScript into persisted content. When a visitor loads the affected page, the malicious script executes in the visitor’s browser, enabling the attacker to steal credentials, hijack sessions, deface the site, or deliver further payloads. The vulnerability is a classic input validation weakness (CWE‑79) that allows attackers to execute arbitrary client‑side code.

Affected Systems

The flaw is present in all eID Easy releases up to and including version 4.9.3 on any WordPress installation. Sites running the plugin in that version range are vulnerable; older versions are also susceptible as they share the same code path. No release after 4.9.3 is listed as affected, but the plugin may still lack a remedy until the vendor releases a patch. WordPress itself is not inherently vulnerable; the problem lies solely in the plug‑in.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. The EPSS score of fewer than 1 % suggests that, at the time of this analysis, the exploitation probability observed in the wild is low. The vulnerability is not catalogued in the CISA KEV list. Exploitation requires an authenticated Contributor or higher account, so attackers must first obtain valid credentials or inject the payload through a compromised user session. Once authenticated, the attacker can persist malicious code that will run for every site visitor that accesses the infected page, making the risk significant for sites with high traffic or sensitive data.

Generated by OpenCVE AI on April 21, 2026 at 02:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update eID Easy to the latest available version or apply an official patch when it becomes available.
  • If an update is not available, modify the plugin’s code to validate the id parameter (e.g., cast to integer or whitelist acceptable values) and escape all output using WordPress functions such as esc_html() or esc_js().
  • Restrict Contributor‑level access to trusted users only or remove the role entirely until the vulnerability is fixed, to reduce the attack surface.
  • Search the database for stored payloads containing <script> tags or other unwanted JavaScript and remove or sanitize them to eliminate the risk of already‑stored exploits.

Generated by OpenCVE AI on April 21, 2026 at 02:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27642 The eID Easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.9.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Fri, 12 Sep 2025 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Eideasy
Eideasy eid Easy
Wordpress
Wordpress wordpress
Vendors & Products Eideasy
Eideasy eid Easy
Wordpress
Wordpress wordpress

Thu, 11 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Sep 2025 07:30:00 +0000

Type Values Removed Values Added
Description The eID Easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.9.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title eID Easy <= 4.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Eideasy Eid Easy
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:53.552Z

Reserved: 2025-08-18T20:09:45.088Z

Link: CVE-2025-9128

cve-icon Vulnrichment

Updated: 2025-09-11T13:34:24.615Z

cve-icon NVD

Status : Deferred

Published: 2025-09-11T08:15:36.550

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9128

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:00:06Z

Weaknesses