Description
The Code Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field meta values in all versions up to, and including, 2.5.1. This is due to the plugin's sanitization function `sec_check_post_fields()` only running on the `save_post` hook, while WordPress allows custom fields to be added via the `wp_ajax_add_meta` AJAX endpoint without triggering `save_post`. The `ce_filter()` function then outputs these unsanitized meta values directly into page content without escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-03-18
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS
Action: Patch
AI Analysis

Impact

The Code Embed plugin for WordPress is vulnerable to stored cross‑site scripting via custom field meta values in all versions up to and including 2.5.1. The plugin’s sanitization function, `sec_check_post_fields()`, is only executed on the `save_post` hook, but WordPress permits custom fields to be added through the `wp_ajax_add_meta` AJAX endpoint without invoking `save_post`. Consequently, the `ce_filter()` function outputs these unsanitized meta values directly into page content. An attacker who is authenticated with Contributor‑level access or higher can therefore inject arbitrary JavaScript, resulting in phishing, cookie theft, defacement, or other malicious actions. This issue is identified as CWE‑79 (Improper Neutralization of Input During Web Page Generation).

Affected Systems

All installations of the dartiss Code Embed plugin with a version number of 2.5.1 or earlier are affected. No specific patch version is listed in the data; the vulnerability exists in every build up to the mentioned release.

Risk and Exploitability

The vulnerability has a CVSS score of 6.4, indicating moderate severity. EPSS information is not available, and the flaw is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with Contributor‑level or higher access and does not demand external network access beyond normal WordPress traffic. Because the malicious script is stored in the database and executed whenever the affected page is rendered, any site visitor who accesses the page is at risk, making the impact potentially widespread among users of the compromised site.

Generated by OpenCVE AI on March 18, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Code Embed plugin to a version newer than 2.5.1 once it becomes available.
  • If an immediate update is not possible, restrict Contributor‑level users from adding custom fields or delete existing custom field values that contain script code.
  • Verify all posts and other content that may contain embedded scripts and remove any malicious code that remains stored in the database.

Generated by OpenCVE AI on March 18, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Davidartiss
Davidartiss code Embed
Wordpress
Wordpress wordpress
Vendors & Products Davidartiss
Davidartiss code Embed
Wordpress
Wordpress wordpress

Wed, 18 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description The Code Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field meta values in all versions up to, and including, 2.5.1. This is due to the plugin's sanitization function `sec_check_post_fields()` only running on the `save_post` hook, while WordPress allows custom fields to be added via the `wp_ajax_add_meta` AJAX endpoint without triggering `save_post`. The `ce_filter()` function then outputs these unsanitized meta values directly into page content without escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Code Embed <= 2.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Davidartiss Code Embed
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:46:21.048Z

Reserved: 2026-02-14T01:55:08.510Z

Link: CVE-2026-2512

cve-icon Vulnrichment

Updated: 2026-03-18T17:04:39.701Z

cve-icon NVD

Status : Deferred

Published: 2026-03-18T16:16:27.030

Modified: 2026-04-22T21:32:08.360

Link: CVE-2026-2512

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:58:37Z

Weaknesses