Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDO Remoji remoji allows Stored XSS.This issue affects Remoji: from n/a through <= 2.2.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, known as a Stored Cross‑Site Scripting (XSS) flaw. A malicious actor can inject arbitrary JavaScript that is persisted in the WordPress site’s database by the Remoji plugin. When any site visitor loads a page containing that data, the browser will execute the injected code. This gives an attacker the ability to steal cookies, hijack sessions, deface content or conduct phishing attacks in the victim’s browser, compromising the confidentiality and integrity of the affected site. The weakness is classified as CWE‑79.

Affected Systems

The flaw exists in the Remoji plugin for WordPress provided by WPDO. All versions from the earliest release up through 2.2 are susceptible. WordPress sites running any of these plugin versions are impacted. No additional WordPress core versions or other plugins are identified as affected.

Risk and Exploitability

The CVSS v3.1 base score of 7.1 indicates high risk. Exploitation is straightforward: an attacker simply needs to submit malicious input that the plugin stores, for example via an emoji or post that later is rendered to all viewers. The EPSS score is not available and the issue is not listed in the CISA KEV catalog, but an attacker could target any site running vulnerable Remoji. As the attack requires only web access, it is highly likely to be attempted.

Generated by OpenCVE AI on March 25, 2026 at 23:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Remoji plugin to a version newer than 2.2.

Generated by OpenCVE AI on March 25, 2026 at 23:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdo
Wpdo remoji
Vendors & Products Wordpress
Wordpress wordpress
Wpdo
Wpdo remoji

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDO Remoji remoji allows Stored XSS.This issue affects Remoji: from n/a through <= 2.2.
Title WordPress Remoji plugin <= 2.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
Wpdo Remoji
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-25T20:18:41.554Z

Reserved: 2026-02-02T12:53:47.194Z

Link: CVE-2026-25452

cve-icon Vulnrichment

Updated: 2026-03-25T20:04:54.020Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:51.320

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-25452

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:39Z

Weaknesses