CVE-2026-2512

Name of the Vulnerable Software and Affected Versions Code Embed plugin for WordPress versions prior to 2.5.2

Description The Code Embed plugin for WordPress is susceptible to Stored Cross-Site Scripting through custom field meta values. The plugin’s sanitization function, sec check post fields(), operates only on the save post hook. However, WordPress permits the addition of custom fields via the /wp ajax add meta API endpoint without triggering this hook. Consequently, the ce filter() function outputs these unsanitized meta values directly into page content without proper escaping. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages, which will then execute when a user accesses the affected page.

Recommendations Update the Code Embed plugin to version 2.5.2 or later.