Description
The Insert Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post custom field keys (meta key names) in all versions up to, and including, 3.11.4. This is due to insufficient output escaping in the the_meta() function: while the custom field VALUE is sanitized with wp_kses_post(), the custom field KEY ($key) is interpolated into the rendered HTML (lines 1786-1791) and echoed (line 1806) without any escaping when an inserted page is rendered with the [insert page='ID' display='all'] shortcode. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-07-02
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw that occurs when a user with author or higher privileges creates custom field keys containing malicious code. The plugin’s the_meta() function outputs the key name directly into the page HTML without escaping, enabling injection of arbitrary JavaScript. An attacker can cause any visitor to the affected page to execute the injected script, which could lead to theft of session cookies, defacement, or redirection. The flaw is identified by CWE‑79 and has a CVSS score of 6.4.

Affected Systems

Insert Pages is a WordPress plugin distributed by figureone. All versions from the initial release through and including 3.11.4 are vulnerable. The issue is present in the code in lines 1786‑1791 of the plugin source and affects the rendering of [insert page='ID' display='all'] shortcodes. Users running any 3.11.4 or earlier installation are potentially exposed.

Risk and Exploitability

The vulnerability can be exploited by any authenticated user who has author privileges or higher. Since it requires valid login credentials, the risk is limited to sites that let authors create or modify custom fields. The CVSS score of 6.4 indicates a moderate severity, and the EPSS score is not available, so the current exploitation probability is unknown. The flaw is not listed in the CISA KEV catalog, but because the attack surface is confined to active sites with author accounts, the threat is real for administrators who underestimate the need to restrict meta key usage.

Generated by OpenCVE AI on July 2, 2026 at 12:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Insert Pages plugin to the latest version that removes the vulnerability or delete the plugin if an update is unavailable.
  • Restrict author and higher users from adding or editing custom fields, or enforce a naming policy that excludes potentially dangerous characters from meta key names.
  • Search the database for custom field keys that contain suspicious code or control characters and delete or sanitize them, then confirm that no malicious scripts remain.

Generated by OpenCVE AI on July 2, 2026 at 12:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Insert Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post custom field keys (meta key names) in all versions up to, and including, 3.11.4. This is due to insufficient output escaping in the the_meta() function: while the custom field VALUE is sanitized with wp_kses_post(), the custom field KEY ($key) is interpolated into the rendered HTML (lines 1786-1791) and echoed (line 1806) without any escaping when an inserted page is rendered with the [insert page='ID' display='all'] shortcode. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Insert Pages <= 3.11.4 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Field Keys (Meta Key Names)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-02T14:50:23.017Z

Reserved: 2026-05-29T13:27:15.359Z

Link: CVE-2026-10089

cve-icon Vulnrichment

Updated: 2026-07-02T14:50:18.971Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T12:15:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')