Description
The Smart Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2025-10-03
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via authenticated admin settings
Action: Patch Immediately
AI Analysis

Impact

The Smart Docs plugin for WordPress contains a stored Cross‑Site Scripting weakness in its admin configuration that is triggered by insufficient input filtering and lack of output escaping. An attacker who has administrator channel access and above in a multi‑site WordPress deployment where the unfiltered_html capability has been disabled can embed arbitrary client‑side scripts that will be served to any user who views the affected configuration pages. This flaw gives the attacker the ability to run code in the victim’s browser context, potentially compromising session cookies, defacing content, or exfiltrating sensitive information, thereby jeopardising both confidentiality and integrity as well as the broader availability of the site to legitimate users.

Affected Systems

The flaw afflicts versions of the Smart Docs plugin up to and including 1.1.1 distributed by the vendor ibachal. It is specific to WordPress installations configured for multiple sites and where the option to allow unfiltered_html output has been turned off, meaning it only applies to environments that have tightened the default filtering behavior for administrators. All other single‑site installs or those retaining the unfiltered_html setting are unaffected.

Risk and Exploitability

The CVSS score of 5.5 rates this flaw as medium severity, but the EPSS estimate of less than 1% indicates a very low probability of real‑world exploitation at this time. Because the vulnerability requires administrator‑level authentication and a specific multi‑site configuration with filtered HTML, the likelihood of widespread deployment of an attack vector remains low, and the flaw is not currently listed in CISA’s KEV catalog. Nevertheless, once a site owner has granted admin rights in a filtered environment, the attacker can quickly poison the stored configuration data, allowing the malicious script to run on every subsequent view by any logged‑on user.

Generated by OpenCVE AI on April 22, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Smart Docs to the latest version available to address the stored XSS flaw
  • Re‑enable the unfiltered_html capability only for trusted services or remove it entirely from the admin role in the affected multi‑site installation
  • Implement a strong Content Security Policy that disallows inline scripts to mitigate the impact if the flaw persists until the patch is applied
  • Regularly scan the plugin configuration for injected content to detect any residual exposure

Generated by OpenCVE AI on April 22, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32283 The Smart Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
History

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Ibachal
Ibachal smart Docs
Wordpress
Wordpress wordpress
Vendors & Products Ibachal
Ibachal smart Docs
Wordpress
Wordpress wordpress

Fri, 03 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Oct 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Smart Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Smart Docs <= 1.1.1 - Authenticated (Admin+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Ibachal Smart Docs
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:45.565Z

Reserved: 2025-08-21T22:23:14.471Z

Link: CVE-2025-9333

cve-icon Vulnrichment

Updated: 2025-10-03T17:57:17.638Z

cve-icon NVD

Status : Deferred

Published: 2025-10-03T12:15:48.107

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9333

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:00:12Z

Weaknesses