๐Ÿ” CVE Alert

CVE-2026-10089

MEDIUM 6.4

Insert Pages <= 3.11.4 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Field Keys (Meta Key Names)

CVSS Score
6.4
EPSS Score
0.2%
EPSS Percentile
12th

The Insert Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post custom field keys (meta key names) in all versions up to, and including, 3.11.4. This is due to insufficient output escaping in the the_meta() function: while the custom field VALUE is sanitized with wp_kses_post(), the custom field KEY ($key) is interpolated into the rendered HTML (lines 1786-1791) and echoed (line 1806) without any escaping when an inserted page is rendered with the [insert page='ID' display='all'] shortcode. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CWE CWE-79
Vendor figureone
Product insert pages
Published Jul 2, 2026
Last Updated Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for figureone insert pages

Be the first to know when new medium vulnerabilities affecting figureone insert pages are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

figureone / Insert Pages
0 โ‰ค 3.11.4

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/a4246181-d331-46b0-ad48-e2ece11b2f5f?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/insert-pages/tags/3.11.4/insert-pages.php#L1789 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/insert-pages/tags/3.11.4/insert-pages.php#L1771 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/insert-pages/tags/3.11.4/insert-pages.php#L768 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/insert-pages/tags/3.11.3/insert-pages.php#L1789 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/insert-pages/tags/3.11.3/insert-pages.php#L1771 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/insert-pages/tags/3.11.3/insert-pages.php#L768 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3579298

Credits

Athiwat Tiprasaharn (Jitlada)