Description
The SNORDIAN's H5PxAPIkatchu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'insert_data' AJAX endpoint in all versions up to, and including, 0.4.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-11-14
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The SNORDIAN H5PxAPIkatchu WordPress plugin contains an insufficiently sanitized and escaped input in the AJAX endpoint named insert_data, which delivers the injected content in stored form. An attacker who is not authenticated can place arbitrary JavaScript in a page; when any user loads that page the script runs in the victim’s browser, potentially enabling credential theft, session hijacking, or defacement. This weakness is classified as CWE‑79.

Affected Systems

WordPress sites that use the SNORDIAN H5PxAPIkatchu plugin, versions up to and including 0.4.17.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.2. The EPSS score is less than 1 % and the weakness is not included in the CISA KEV catalog, indicating low current exploitation likelihood. However, the flaw is exploitable through a public‑facing AJAX endpoint, meaning an unauthenticated attacker can reach the code path and inject payloads without further compromise.

Generated by OpenCVE AI on April 21, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SNORDIAN H5PxAPIkatchu to version 0.4.18 or later.
  • If an upgrade is not possible, disable the insert_data AJAX endpoint or remove the plugin from the WordPress installation.
  • Apply input validation and output escaping on the insert_data route if you maintain custom code.
  • Consider deploying a web application firewall or content‑security‑policy header to mitigate XSS attacks on affected pages.

Generated by OpenCVE AI on April 21, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 14 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 14 Nov 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 14 Nov 2025 03:00:00 +0000

Type Values Removed Values Added
Description The SNORDIAN's H5PxAPIkatchu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'insert_data' AJAX endpoint in all versions up to, and including, 0.4.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title SNORDIAN's H5PxAPIkatchu <= 0.4.17 - Unauthenticated Stored Cross-Site Scripting via insert_data
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:06:46.096Z

Reserved: 2025-11-07T21:47:16.787Z

Link: CVE-2025-12904

cve-icon Vulnrichment

Updated: 2025-11-14T15:23:33.512Z

cve-icon NVD

Status : Deferred

Published: 2025-11-14T03:15:56.230

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12904

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:30:27Z

Weaknesses