{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13856", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-01T20:30:56.208Z", "datePublished": "2025-12-06T05:49:33.475Z", "dateUpdated": "2026-04-08T17:21:05.620Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:05.620Z"}, "affected": [{"vendor": "michaelcole1991", "product": "Extra Post Images", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Extra Post Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the extra-images shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Extra Post Images <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c5fbb963-f89d-4037-9456-8587bcf5d620?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/extra-post-images/trunk/epi.php#L92"}, {"url": "https://plugins.trac.wordpress.org/browser/extra-post-images/tags/1.0/epi.php#L92"}, {"url": "https://plugins.trac.wordpress.org/browser/extra-post-images/tags/1.0/epi.php#L101"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "timeline": [{"time": "2025-12-05T17:43:02.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-08T21:30:33.641355Z", "id": "CVE-2025-13856", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T21:30:51.614Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13856", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-08T21:30:33.641355Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T21:30:46.520Z"}}], "cna": {"title": "Extra Post Images <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "michaelcole1991", "product": "Extra Post Images", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-05T17:43:02.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c5fbb963-f89d-4037-9456-8587bcf5d620?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/extra-post-images/trunk/epi.php#L92"}, {"url": "https://plugins.trac.wordpress.org/browser/extra-post-images/tags/1.0/epi.php#L92"}, {"url": "https://plugins.trac.wordpress.org/browser/extra-post-images/tags/1.0/epi.php#L101"}], "descriptions": [{"lang": "en", "value": "The Extra Post Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the extra-images shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:05.620Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13856", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:21:05.620Z", "dateReserved": "2025-12-01T20:30:56.208Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-06T05:49:33.475Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Extra Post Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the extra-images shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-13856", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-06T06:15:52.453", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/extra-post-images/tags/1.0/epi.php#L101"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/extra-post-images/tags/1.0/epi.php#L92"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/extra-post-images/trunk/epi.php#L92"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c5fbb963-f89d-4037-9456-8587bcf5d620?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:02:12.332496+00:00", "value": {"mitigation_remediation": ["Update the Extra Post Images plugin to the latest version (or any version beyond 1.0) to address the stored XSS flaw.", "If an immediate update is not possible, remove or disable the shortcode\u2019s \u2018id\u2019 attribute by editing the plugin code or using a content sanitization plugin that filters shortcode parameters.", "As a temporary measure, restrict Contributor roles from editing posts containing the shortcode until a patch is applied or the shortcode is removed from those posts."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Any WordPress site running the Extra Post Images plugin version 1.0 or earlier is potentially affected. The vulnerability affects the plugin code in the core shortcode handler and does not require any external services or plugins. All WordPress installations that have granted Contributor or higher roles the ability to add or edit posts with the plugin\u2019s shortcode are within scope.", "description_and_impact": "The Extra Post Images plugin for WordPress allows the \u2018id\u2019 attribute of its shortcode to be stored without proper sanitization or escaping, creating a stored cross\u2011site scripting vulnerability. This flaw is classified as CWE\u201179 and permits an attacker who can authenticate as a Contributor or higher to inject arbitrary JavaScript into pages containing the shortcode. When an affected user views the page, the injected scripts execute in that user\u2019s browser, potentially leading to defacement, session hijacking, or other client\u2011side attacks.", "risk_and_exploitability": "The CVSS base score of 6.4 indicates a moderate impact with authentication required, but the low EPSS score of <\u202f1% suggests a small probability of exploitation at present. The vulnerability is not listed in CISA\u2019s KEV catalog, meaning there is no known widespread exploitation. Attackers would need to log into the site with a Contributor\u2011level account, inject the malicious shortcut into a post, and rely on other site users to view the compromised page to trigger the script. The main risk is client\u2011side compromise, with no immediate server\u2011side backdoor creation."}}}}, "created": "2025-12-08T09:39:32.446643+00:00", "updated": "2026-04-21T01:15:20.119153+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}