Stored Cross-Site Scripting Vulnerability in Code Embed Plugin for WordPress
CVE-2026-2512

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Code Embed
Vendor: CVE Published:; 18 March 2026

What is CVE-2026-2512?

The Code Embed plugin for WordPress is susceptible to Stored Cross-Site Scripting attacks. This vulnerability arises because the plugin's sanitization process for meta values does not execute in all scenarios. Specifically, the sanitization function sec_check_post_fields() activates only during the save_post hook, which allows attackers to add unsanitized custom fields through the wp_ajax_add_meta AJAX endpoint. As a result, authenticated users with Contributor-level access and above can inject malicious scripts into pages. When the content is rendered, these vulnerabilities can be exploited, leading to harmful scripts executing in the browsers of users visiting the compromised pages.

Affected Version(s)

Code Embed 0 <= 2.5.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/simple-embed-c...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 18, 2026
Vulnerability Reserved
Feb 14, 2026

Credit

Muhammad Yudha - DJ

CVE-2026-2512 Data

JSON