CVE-2025-68867 MEDIUM

CVE-2025-68867: WordPress Effect Maker plugin <= 1.2.1 - Cross Site Scripting (XSS) vulnerability

Vendor Anibalwainstein
Product Effect Maker
Weakness CWE-79 · XSS
Published January 8, 2026
Last update April 28, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anibalwainstein Effect Maker effect-maker allows DOM-Based XSS.This issue affects Effect Maker: from n/a through <= 1.2.1.

Explanation of Vulnerability in Simple Terms

02Summary

Effect Maker versions 1.2.1 and earlier contain a cross-site scripting vulnerability that allows attackers to inject malicious scripts. An authenticated user must trick a victim into visiting a crafted page or clicking a link. The injected script executes in the victim's browser with their permissions, potentially compromising their session or data.

What an attacker can do

03Attacker Capabilities

Inject malicious JavaScript that runs in a victim's browser with their permissions.

Potential impact on your site

04Site Impact

Users' sessions or data could be compromised if they interact with attacker-controlled content.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege account; victim must click a malicious link or visit a crafted page.

Key dates

06Disclosure timeline

January 8, 2026 CVE published
April 28, 2026 Record updated