Embed Any Document < 2.7.8 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2025-60099 | Plugin Vulnerabilities

Description

The Embed Any Document plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.7.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

embed-any-document

Fixed in 2.7.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0e1bbf81-a61e-48d6-8485-9a6b6278dc39

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

63n0

Verified

No

WPVDB ID

2e514310-0e65-4fa1-a387-7417a29b7b71

Timeline

Publicly Published

2025-09-26 (about 8 months ago)

Added

2025-09-29 (about 8 months ago)

Last Updated

2025-11-07 (about 6 months ago)

Other

Published

Title

Published

2016-03-12

Title

Soundy Background Music <= 3.1 - Reflected Cross-Site Scripting (XSS)

Published

2025-01-04

Title

Kalium < 3.19 - Reflected Cross-Site Scripting

Published

2025-12-19

Title

Nex-Forms Express WP Form Builder < 9.1.8 - Authenticated Stored XSS

Published

2025-11-11

Title

Easy Email Subscription < 1.3.1 - Unauthenticated Stored Cross-Site Scripting

Published

2019-10-16

Title

All In One SEO Pack < 3.2.7 - Stored Cross-Site Scripting (XSS)