Description
The Yoga Schedule Momoyoga plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'momoyoga-schedule' shortcode in all versions up to, and including, 2.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-09-30
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

The Yoga Schedule Momoyoga WordPress plugin stores user‑supplied attributes from its ‘momoyoga‑schedule’ shortcode without proper sanitization or escaping, allowing authenticated attackers with contributor or higher permissions to inject arbitrary JavaScript. This stored cross‑site scripting flaw means that any visitor viewing a page containing the affected shortcode will automatically execute the malicious script, creating opportunities for credential theft, session hijacking, or site defacement.

Affected Systems

WordPress installations that have the Momoyoga plugin version 2.9.0 or earlier are affected. Any such site that includes the vulnerable shortcode in posts or pages is susceptible to the flaw.

Risk and Exploitability

The CVSS score of 6.4 categorises the vulnerability as moderate severity, but the EPSS score below 1% indicates a low likelihood of current exploitation. The flaw is not listed in CISA's KEV catalog, further suggesting limited real‑world impact to date. Nevertheless, the attack only requires contributor‑level access, meaning that compromised credentials can readily be used to supply malicious shortcode attributes, making timely remediation advisable.

Generated by OpenCVE AI on April 21, 2026 at 18:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Momoyoga plugin to version 2.9.1 or later, which removes the unsafe shortcode handling.
  • If an upgrade is not immediately possible, delete all instances of the ‘momoyoga‑schedule’ shortcode from public content or configure the plugin to disallow its use on non‑admin pages.
  • Restrict contributor users to the minimum permissions required; revoke contributor access for users who do not need to manage scheduled sessions.

Generated by OpenCVE AI on April 21, 2026 at 18:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31693 The Yoga Schedule Momoyoga plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'momoyoga-schedule' shortcode in all versions up to, and including, 2.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Tue, 30 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Sep 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 30 Sep 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Yoga Schedule Momoyoga plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'momoyoga-schedule' shortcode in all versions up to, and including, 2.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Yoga Schedule Momoyoga <= 2.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:01:07.994Z

Reserved: 2025-09-02T15:15:32.393Z

Link: CVE-2025-9852

cve-icon Vulnrichment

Updated: 2025-09-30T15:25:14.073Z

cve-icon NVD

Status : Deferred

Published: 2025-09-30T11:37:47.203

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9852

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:00:36Z

Weaknesses