CVE-2025-15658
Received Received - Intake
Administrator XSS in WP Emmet Plugin

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: Patchstack

Description
Administrator Cross Site Scripting (XSS) in WP Emmet <= 0.3.4 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2025-15658
EUVD
EUVD-2025-210139
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack wp_emmet to 0.3.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability is a Cross Site Scripting (XSS) issue in the WordPress WP Emmet plugin versions up to and including 0.3.4. It allows an attacker who has administrator privileges to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, into the website. These scripts execute when visitors access the site.

This vulnerability falls under the OWASP Top 10 category A3: Injection and has a CVSS score of 5.9, indicating a low severity level.

No official patch or fixed version is available because the plugin appears to be abandoned and has not been updated for over a year.

Impact Analysis

If exploited, this vulnerability allows an attacker with administrator access to inject malicious scripts into your website. These scripts can perform unwanted actions such as redirecting visitors to malicious sites, displaying unauthorized advertisements, or executing other harmful HTML payloads.

This can lead to compromised website integrity, loss of visitor trust, and potential further exploitation of your site.

Since the plugin is abandoned and unpatched, the risk is heightened by opportunistic automated attacks targeting unpatched sites.

Mitigation requires either applying a virtual patch provided by Patchstack or removing and replacing the plugin with a supported alternative.

Mitigation Strategies

The WP Emmet plugin versions up to and including 0.3.4 are vulnerable to an administrator Cross Site Scripting (XSS) vulnerability with no official patch available.

Immediate mitigation steps include removing and replacing the vulnerable plugin with an alternative plugin, as deactivating it alone does not eliminate the risk.

Patchstack offers virtual patching (vPatch) that can auto-mitigate the vulnerability without an official fix, providing rapid protection against exploitation.

Due to the risk of opportunistic automated attacks, timely mitigation and professional incident response are recommended if compromise is suspected.

Compliance Impact

The vulnerability allows an attacker with administrator privileges to inject malicious scripts into a website, which can lead to unauthorized actions and potential data exposure.

Such unauthorized script injections can compromise the confidentiality and integrity of user data, potentially violating data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.

Since the plugin is abandoned with no official patch, the risk of exploitation remains unless mitigated by virtual patching or removal, which is critical to maintain compliance with security standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15658. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart