{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-0863", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-01-29T21:23:59.278Z", "datePublished": "2025-03-07T07:22:23.140Z", "dateUpdated": "2026-04-08T16:40:26.560Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:40:26.560Z"}, "affected": [{"vendor": "flexmls", "product": "Flexmls\u00ae IDX Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.14.28", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Flexmls\u00ae IDX Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'idx_frame' shortcode in all versions up to, and including, 3.14.27 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Flexmls\u00ae IDX <= 3.14.27 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c8e814b-3828-4b3f-a9ad-b3758ab9b109?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/flexmls-idx/tags/3.14.25/flexmls_connect.php#L92"}, {"url": "https://plugins.trac.wordpress.org/browser/flexmls-idx/tags/3.14.25/lib/base.php#L220"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3251292%40flexmls-idx&new=3251292%40flexmls-idx&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-03-06T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-07T15:47:11.808014Z", "id": "CVE-2025-0863", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-07T15:48:35.544Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-0863", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-07T15:47:11.808014Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-07T15:47:25.696Z"}}], "cna": {"title": "Flexmls\u00ae IDX <= 3.14.27 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "muhammad yudha"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "flexmls", "product": "Flexmls\u00ae IDX Plugin", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.14.28"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-06T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c8e814b-3828-4b3f-a9ad-b3758ab9b109?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/flexmls-idx/tags/3.14.25/flexmls_connect.php#L92"}, {"url": "https://plugins.trac.wordpress.org/browser/flexmls-idx/tags/3.14.25/lib/base.php#L220"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3251292%40flexmls-idx&new=3251292%40flexmls-idx&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Flexmls\u00ae IDX Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'idx_frame' shortcode in all versions up to, and including, 3.14.27 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-03-07T07:22:23.140Z"}}}, "cveMetadata": {"cveId": "CVE-2025-0863", "state": "PUBLISHED", "dateUpdated": "2025-03-07T15:48:35.544Z", "dateReserved": "2025-01-29T21:23:59.278Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-07T07:22:23.140Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Flexmls\u00ae IDX Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'idx_frame' shortcode in all versions up to, and including, 3.14.27 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Flexmls\u00ae IDX Plugin para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s del c\u00f3digo abreviado 'idx_frame' del complemento en todas las versiones hasta la 3.14.27 incluida, debido a una depuraci\u00f3n de entrada y al escape de salida insuficiente en los atributos proporcionados por el usuario. Esto permite que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten secuencias de comandos web arbitrarias en p\u00e1ginas que se ejecutar\u00e1n siempre que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2025-0863", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-03-07T08:15:40.827", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/flexmls-idx/tags/3.14.25/flexmls_connect.php#L92"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/flexmls-idx/tags/3.14.25/lib/base.php#L220"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3251292%40flexmls-idx&new=3251292%40flexmls-idx&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c8e814b-3828-4b3f-a9ad-b3758ab9b109?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T03:30:17.748577+00:00", "value": {"mitigation_remediation": ["Upgrade Flexmls\u00ae IDX Plugin to a version newer than 3.14.27 that removes the unsafe idx_frame handling.", "If an upgrade cannot be performed immediately, restrict the idx_frame shortcode to administrator users only or remove it from all pages until a patch is available.", "Implement a web application firewall rule or use the Wordfence plugin to block XSS payloads targeting the plugin\u2019s parameters, thereby reducing the chance of successful script injection."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations of the Flexmls\u00ae IDX Plugin with a version of 3.14.27 or older are affected. The vulnerability exists in every release up to and including 3.14.27.", "description_and_impact": "The Flexmls\u00ae IDX Plugin for WordPress allows an authenticated user with contributor or higher privileges to insert arbitrary JavaScript into pages through the idx_frame shortcode. The plugin fails to sanitize or escape user\u2011supplied attributes, enabling a stored cross\u2011site scripting vulnerability that will execute in the browser context of any visitor to the affected page. This can lead to session hijacking, defacement, or theft of visitor data.", "risk_and_exploitability": "The CVSS base score of 6.4 indicates a moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation under current conditions. The vulnerability is not listed in the CISA KEV catalog. An attacker must first be authenticated and possess at least contributor role privileges to inject the malicious script. Once injected, the script runs automatically whenever a page containing the idx_frame shortcode is viewed, potentially compromising all users who access those pages."}}}}, "created": "2025-07-12T15:26:27.126056+00:00", "updated": "2026-04-28T03:30:19.835250+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}