WordPress Plugin Vulnerabilities

Envo Extra < 1.9.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Envo Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.9.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
envo-extra
Fixed in 1.9.12

References

CVE
CVE-2025-66066
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b6306222-8b0c-4060-ade8-f4797d41ebc3

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Abu Hurayra (HurayraIIT)
Verified
No
WPVDB ID
aa024b0b-3489-47bc-beef-358e194b2502

Timeline

Publicly Published
2025-12-05 (about 5 months ago)
Added
2025-12-10 (about 5 months ago)
Last Updated
2025-12-10 (about 5 months ago)

Other

Published
Title
Published
2024-05-29
Title
Gum Elementor Addon < 1.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Price Table and Post Slider Widgets
Published
2024-12-03
Title
Intro Tour Tutorial DeepPresentation < 6.5.3 - Reflected Cross-Site Scripting
Published
2026-05-02
Title
NEX-Forms < 9.1.12 - Unauthenticated Stored Cross-Site Scripting via POST Parameter Key Names
Published
2025-01-07
Title
Infility Global < 2.9.9 - Reflected XSS
Published
2025-09-27
Title
Popular Posts by Webline <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting