Description
The Eulerpool Research Systems plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'aaq' shortcode in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-09-30
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-Site Scripting
Action: Update Plugin
AI Analysis

Impact

The Eulerpool Research Systems WordPress plugin contains a stored cross‑site scripting flaw in its 'aaq' shortcode, where insufficient input sanitization allows an attacker with contributor‑level or higher access to insert arbitrary scripts that run whenever a page containing the shortcode is viewed. This can lead to site defacement, cookie theft, session hijacking, or other malicious actions performed as the visiting user. The weakness is a classic stored XSS, identified as CWE‑80.

Affected Systems

The vulnerable product is the Eulerpool Research Systems plugin, version 4.0.1 and all earlier releases, supplied by the vendor michaellow. All WordPress sites running any of these versions are affected and are at risk if contributors are allowed to add or edit content.

Risk and Exploitability

The CVSS score is 6.4, indicating medium severity, while the EPSS score is below 1%, suggesting a low likelihood of exploitation at present. This vulnerability is not listed in the CISA KEV catalog. Because the flaw requires authenticated access, a threat actor would need to be an existing contributor or higher; however, once authenticated, a malicious contributor can very easily inject scripts that compromise subsequent site visitors.

Generated by OpenCVE AI on April 21, 2026 at 02:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Eulerpool Research Systems plugin to the latest available version (4.0.2 or newer).
  • If an upgrade cannot be applied immediately, deactivate or delete the plugin to eliminate the vulnerability.
  • Restrict or remove contributor accounts that do not need that role to reduce the attack surface.

Generated by OpenCVE AI on April 21, 2026 at 02:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31679 The Eulerpool Research Systems plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'aaq' shortcode in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 30 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Sep 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 30 Sep 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Eulerpool Research Systems plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'aaq' shortcode in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Eulerpool Research Systems <= 4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-80
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:46.840Z

Reserved: 2025-09-08T19:18:38.345Z

Link: CVE-2025-10128

cve-icon Vulnrichment

Updated: 2025-09-30T15:37:35.652Z

cve-icon NVD

Status : Deferred

Published: 2025-09-30T11:37:37.023

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10128

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:45:25Z

Weaknesses