Impact
The vulnerability is a stored cross‑site scripting flaw that occurs when a user with author or higher privileges creates custom field keys containing malicious code. The plugin’s the_meta() function outputs the key name directly into the page HTML without escaping, enabling injection of arbitrary JavaScript. An attacker can cause any visitor to the affected page to execute the injected script, which could lead to theft of session cookies, defacement, or redirection. The flaw is identified by CWE‑79 and has a CVSS score of 6.4.
Affected Systems
Insert Pages is a WordPress plugin distributed by figureone. All versions from the initial release through and including 3.11.4 are vulnerable. The issue is present in the code in lines 1786‑1791 of the plugin source and affects the rendering of [insert page='ID' display='all'] shortcodes. Users running any 3.11.4 or earlier installation are potentially exposed.
Risk and Exploitability
The vulnerability can be exploited by any authenticated user who has author privileges or higher. Since it requires valid login credentials, the risk is limited to sites that let authors create or modify custom fields. The CVSS score of 6.4 indicates a moderate severity, and the EPSS score is not available, so the current exploitation probability is unknown. The flaw is not listed in the CISA KEV catalog, but because the attack surface is confined to active sites with author accounts, the threat is real for administrators who underestimate the need to restrict meta key usage.
OpenCVE Enrichment