WordPress Plugin Vulnerabilities

WP Editor.md – The Perfect WordPress Markdown Editor <= 10.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description

The WP Editor.md – The Perfect WordPress Markdown Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 10.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Plugin icon
wp-editormd
No known fix

References

CVE
CVE-2025-31035
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b128ecb7-325d-43c1-8187-c5949242e760

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.4 (medium)

Miscellaneous

Verified
No
WPVDB ID
344a5024-5b3e-4b24-9543-83469759a6c6

Timeline

Publicly Published
2025-04-09 (about 11 months ago)
Added
2025-04-16 (about 11 months ago)
Last Updated
2025-04-16 (about 11 months ago)

Other

Published
Title
Published
2026-01-20
Title
Easy Theme Options <= 1.0 - Reflected Cross-Site Scripting
Published
2025-01-16
Title
REDIRECTION PLUS <= 2.0.0 - Reflected Cross-Site Scripting
Published
2025-01-14
Title
WP Projects Portfolio with Client Testimonials <= 3.0 - Stored XSS via CSRF
Published
2026-03-09
Title
MetForm Pro < 3.9.7 - Unauthenticated Stored Cross-Site Scripting
Published
2025-01-07
Title
Qr Code and Barcode Scanner Reader <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting