CVE-2025-26538: 
WordPress vulnerability analysis and mitigation

The Prezi Embedder WordPress plugin version 2.1 and earlier contains a Stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered by researcher yudha and was publicly disclosed on February 13, 2025. This security issue affects the Prezi Embedder plugin through version 2.1, allowing authenticated users with Contributor-level access or higher to inject malicious scripts (Wordfence, Patchstack).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS score of 6.4 (Medium). It involves improper neutralization of input during web page generation, which allows for the injection and storage of malicious scripts that are executed when users view affected pages (Patchstack).

When exploited, this vulnerability could allow attackers to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These scripts would be executed when visitors access the affected pages, potentially compromising user data or website functionality (Patchstack).

As of the disclosure date, no official fix has been released for this vulnerability. Website administrators using the Prezi Embedder plugin should consider either removing the plugin or implementing additional security controls to restrict access to contributor-level accounts (Patchstack).