2025-10-18 05:41:56
Wordfence
PUBLISHED
The XX2WP Integration Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the mxp_fb2wp_display_embed shortcode in all versions up to, and including, 1.9.9. This is due to the plugin not properly sanitizing user input and output of the post_id parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.