WordPress Plugin Vulnerabilities

UiChemy < 4.4.3 - Authenticated (Author+) Stored Cross-Site Scripting

Description

The UiChemy plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
uichemy
Fixed in 4.4.3

References

CVE
CVE-2025-69362
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f0905304-2417-4ae7-8e76-6d85b86e8398

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Athiwat Tiprasaharn (Jitlada)
Verified
No
WPVDB ID
bb2ec6de-c610-4346-ad05-36d8c805dfab

Timeline

Publicly Published
2026-01-12 (about 4 months ago)
Added
2026-01-19 (about 3 months ago)
Last Updated
2026-01-19 (about 3 months ago)

Other

Published
Title
Published
2024-11-08
Title
Inline Click To Tweet <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-05-09
Title
Divi < 4.20.3 - Contributor+ Stored XSS
Published
2023-08-22
Title
Collapse-O-Matic <= 1.8.5.8 - Contributor+ Stored XSS
Published
2022-06-10
Title
Ninja Forms < 3.6.10 - Admin+ Stored Cross-Site Scripting via Import
Published
2026-04-21
Title
Buzz Comments <= 0.9.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Custom Buzz Avatar' Setting