Description
The BlogBuzzTime for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2025-03-12
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via admin settings
Action: Immediate Patch
AI Analysis

Impact

The BlogBuzzTime for WP plugin for WordPress is vulnerable to stored Cross‑Site Scripting when an authenticated administrator edits the plugin’s settings. The flaw stems from insufficient input sanitization and output escaping that allows arbitrary script payloads to be written into the plugin data, which are later rendered when users view the affected page. This can lead to session hijacking, credential theft, defacement, or other damage in the context of the victim’s browser, and the weakness is classified as CWE‑79 with a moderate‑severity CVSS score of 4.4. The vulnerability can be exploited only by users with administrator‑level permissions or higher, and it specifically affects multi‑site WordPress installations where the unfiltered_html capability has been disabled. The plugin has not been listed in CISA’s Known Exploited Vulnerabilities catalog, and no public exploitation has been reported. The EPSS score of <1% indicates a very low current probability of exploitation, but the impact remains significant if an insider attacker gains access. The potential damage is limited to users who view the stored scripts, yet the exploitation path is straightforward for a privileged user: navigate to the plugin’s settings page, input malicious code, store it, and have it executed for subsequent visitors.

Affected Systems

The affected product is the BlogBuzzTime for WP plugin developed by gpenverne, all installed versions 1.1 or earlier running on WordPress multi‑site setups where the 'unfiltered_html' feature is disabled. This includes any WordPress installation using the plugin that has admin accounts capable of editing its settings.

Risk and Exploitability

The CVSS score of 4.4 denotes moderate severity, and the EPSS score of less than 1% indicates a low likelihood of exploitation at present. The vulnerability requires authenticated admin access, limiting its attack surface to privileged users. Because it is a stored script payload, any user who views the affected page will automatically run the malicious code in their browser context, potentially compromising session state or stealing credentials. Given these characteristics, the risk is moderate but still noteworthy for organizations with large privileged user bases or multi‑site WordPress environments.

Generated by OpenCVE AI on April 22, 2026 at 01:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the BlogBuzzTime for WP plugin to the latest version that fixes the XSS issue.
  • On multi‑site WordPress sites, disable the unfiltered_html capability for all roles except trusted super‑administrators or remove it from administrative roles.
  • Reduce the number of users with full administrator privileges by applying the principle of least privilege and consider removing or restricting the admin‑level access to the plugin’s settings page.

Generated by OpenCVE AI on April 22, 2026 at 01:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7486 The BlogBuzzTime for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
History

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00028}

 epss

{'score': 0.0004}

Wed, 02 Apr 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Gkdv
Gkdv blogbuzztime For Wp
CPEs cpe:2.3:a:gkdv:blogbuzztime_for_wp:*:*:*:*:*:wordpress:*:*
Vendors & Products Gkdv
Gkdv blogbuzztime For Wp

Wed, 12 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Description The BlogBuzzTime for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title BlogBuzzTime-for-wp <= 1.1 - Authenticated (Admin+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Gkdv Blogbuzztime For Wp
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:01:09.624Z

Reserved: 2025-03-06T21:42:24.233Z

Link: CVE-2025-2078

cve-icon Vulnrichment

Updated: 2025-03-12T13:26:11.426Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-12T04:15:19.210

Modified: 2025-04-02T12:43:28.130

Link: CVE-2025-2078

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T02:00:05Z

Weaknesses