CVE-2025-14888

Name of the Vulnerable Software and Affected Versions Simple User Meta Editor versions prior to 1.0.1

Description The Simple User Meta Editor plugin for WordPress has a flaw that allows an attacker to inject malicious web scripts into pages viewed by users. This is due to a lack of proper sanitization and escaping of user-provided data. Specifically, the user meta value field is susceptible to this issue. The flaw requires administrator-level access and only impacts multi-site installations or those where unfiltered html is disabled. An authenticated attacker can exploit this to execute arbitrary scripts when a user accesses an injected page.

Recommendations Update Simple User Meta Editor to version 1.0.1 or later.