CVE-2025-50023: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability has been identified in Chris Coyier CodePen Embed Block WordPress plugin versions through 1.1.1. The vulnerability was discovered on May 7, 2025, reported by Nabil Irawan, and publicly disclosed on June 20, 2025. This security issue is tracked as CVE-2025-50023 and is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD, Wiz).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.9 (Medium severity). The technical characteristics include: Network-based attack vector (AV:N), Low attack complexity (AC:L), requires High privileges (PR:H), needs User interaction (UI:R), with Changed scope (S:C), and Low impact on Confidentiality, Integrity, and Availability (C:L/I:L/A:L) (Patchstack).

The vulnerability could enable malicious actors to inject malicious scripts into the website, including redirects, advertisements, and other HTML payloads. These injected scripts would be executed when visitors access the affected site (Patchstack).

As of the latest reports, no official fix is available for this vulnerability. The issue affects versions up to and including 1.1.1 of the CodePen Embed Block plugin (Wiz).