{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2512", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-14T01:55:08.510Z", "datePublished": "2026-03-18T15:28:28.763Z", "dateUpdated": "2026-04-08T16:46:21.048Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:21.048Z"}, "affected": [{"vendor": "dartiss", "product": "Code Embed", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.5.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Code Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field meta values in all versions up to, and including, 2.5.1. This is due to the plugin's sanitization function `sec_check_post_fields()` only running on the `save_post` hook, while WordPress allows custom fields to be added via the `wp_ajax_add_meta` AJAX endpoint without triggering `save_post`. The `ce_filter()` function then outputs these unsanitized meta values directly into page content without escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Code Embed <= 2.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/375ed04b-a3cb-4e60-83c8-18bff583aaf4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-embed-code/trunk/includes/add-embeds.php#L84"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-embed-code/trunk/includes/add-embeds.php#L20"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-embed-code/trunk/includes/secure.php#L25"}, {"url": "https://plugins.trac.wordpress.org/changeset/3482994/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-02-14T02:10:39.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-17T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T17:04:34.536044Z", "id": "CVE-2026-2512", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T17:04:44.595Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2512", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T17:04:34.536044Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T17:04:39.701Z"}}], "cna": {"title": "Code Embed <= 2.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "dartiss", "product": "Code Embed", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.5.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-14T02:10:39.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-17T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/375ed04b-a3cb-4e60-83c8-18bff583aaf4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-embed-code/trunk/includes/add-embeds.php#L84"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-embed-code/trunk/includes/add-embeds.php#L20"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-embed-code/trunk/includes/secure.php#L25"}, {"url": "https://plugins.trac.wordpress.org/changeset/3482994/"}], "descriptions": [{"lang": "en", "value": "The Code Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field meta values in all versions up to, and including, 2.5.1. This is due to the plugin's sanitization function `sec_check_post_fields()` only running on the `save_post` hook, while WordPress allows custom fields to be added via the `wp_ajax_add_meta` AJAX endpoint without triggering `save_post`. The `ce_filter()` function then outputs these unsanitized meta values directly into page content without escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-18T15:28:28.763Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2512", "state": "PUBLISHED", "dateUpdated": "2026-03-18T17:04:44.595Z", "dateReserved": "2026-02-14T01:55:08.510Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-18T15:28:28.763Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Code Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field meta values in all versions up to, and including, 2.5.1. This is due to the plugin's sanitization function `sec_check_post_fields()` only running on the `save_post` hook, while WordPress allows custom fields to be added via the `wp_ajax_add_meta` AJAX endpoint without triggering `save_post`. The `ce_filter()` function then outputs these unsanitized meta values directly into page content without escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Code Embed para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de valores meta de campos personalizados en todas las versiones hasta la 2.5.1, inclusive. Esto se debe a que la funci\u00f3n de saneamiento del plugin `sec_check_post_fields()` solo se ejecuta en el hook `save_post`, mientras que WordPress permite que se a\u00f1adan campos personalizados a trav\u00e9s del endpoint AJAX `wp_ajax_add_meta` sin activar `save_post`. La funci\u00f3n `ce_filter()` luego muestra estos valores meta no saneados directamente en el contenido de la p\u00e1gina sin escapar. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador o superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-2512", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-18T16:16:27.030", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-embed-code/trunk/includes/add-embeds.php#L20"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-embed-code/trunk/includes/add-embeds.php#L84"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-embed-code/trunk/includes/secure.php#L25"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3482994/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/375ed04b-a3cb-4e60-83c8-18bff583aaf4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.1]"}}], "enrichment": {"confidence": 90.0, "confidence_source": "matching", "scores": [{"score": 90.0, "source": "matching"}]}, "original": {"product": "Code Embed", "source": "cna", "vendor": "dartiss"}, "product": "code_embed", "vendor": "davidartiss"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-18T16:50:20.123929+00:00", "value": {"mitigation_remediation": ["Update the Code Embed plugin to a version newer than 2.5.1 once it becomes available.", "If an immediate update is not possible, restrict Contributor\u2011level users from adding custom fields or delete existing custom field values that contain script code.", "Verify all posts and other content that may contain embedded scripts and remove any malicious code that remains stored in the database."], "summary": {"action": "Patch", "impact": "Stored XSS"}, "threat_synthesis": {"affected_systems": "All installations of the dartiss Code Embed plugin with a version number of 2.5.1 or earlier are affected. No specific patch version is listed in the data; the vulnerability exists in every build up to the mentioned release.", "description_and_impact": "The Code Embed plugin for WordPress is vulnerable to stored cross\u2011site scripting via custom field meta values in all versions up to and including 2.5.1. The plugin\u2019s sanitization function, `sec_check_post_fields()`, is only executed on the `save_post` hook, but WordPress permits custom fields to be added through the `wp_ajax_add_meta` AJAX endpoint without invoking `save_post`. Consequently, the `ce_filter()` function outputs these unsanitized meta values directly into page content. An attacker who is authenticated with Contributor\u2011level access or higher can therefore inject arbitrary JavaScript, resulting in phishing, cookie theft, defacement, or other malicious actions. This issue is identified as CWE\u201179 (Improper Neutralization of Input During Web Page Generation).", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.4, indicating moderate severity. EPSS information is not available, and the flaw is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with Contributor\u2011level or higher access and does not demand external network access beyond normal WordPress traffic. Because the malicious script is stored in the database and executed whenever the affected page is rendered, any site visitor who accesses the page is at risk, making the impact potentially widespread among users of the compromised site."}}}}, "created": "2026-03-19T08:56:31.068695+00:00", "updated": "2026-03-24T10:58:37.816152+00:00", "vendors": ["davidartiss", "davidartiss$PRODUCT$code_embed", "wordpress", "wordpress$PRODUCT$wordpress"]}