Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Uncanny Owl Uncanny Toolkit for LearnDash uncanny-learndash-toolkit allows Stored XSS.This issue affects Uncanny Toolkit for LearnDash: from n/a through <= 3.7.0.1.
Published: 2025-04-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting flaw in the Uncanny Toolkit for LearnDash plugin allows an attacker to inject malicious JavaScript that is permanently rendered when users view affected content. This can lead to session hijacking, defacement, or redirection of site visitors, compromising user confidentiality and integrity.

Affected Systems

WordPress sites running the Uncanny Owl Uncanny Toolkit for LearnDash plugin on version 3.7.0.1 or earlier. The vulnerability exists in all releases from the initial public version through to 3.7.0.1.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% reflects a low probability of exploitation as of the data available. The flaw is not listed in the CISA KEV catalog, suggesting no publicly known exploits at present. A likely attack vector involves an authenticated user with permissions to edit plugin content, who can insert malicious code that is later rendered for all site visitors. Despite the low exploitation probability, the potential impact warrants timely remediation.

Generated by OpenCVE AI on May 1, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Uncanny Toolkit for LearnDash plugin to the latest version that removes the XSS flaw
  • If an upgrade cannot be performed immediately, deactivate or uninstall the plugin to eliminate the vulnerable code
  • Audit other plugins and themes for similar stored XSS weaknesses and apply relevant patches or configurations

Generated by OpenCVE AI on May 1, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11130 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Uncanny Owl Uncanny Toolkit for LearnDash allows Stored XSS. This issue affects Uncanny Toolkit for LearnDash: from n/a through 3.7.0.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Uncanny Owl Uncanny Toolkit for LearnDash allows Stored XSS. This issue affects Uncanny Toolkit for LearnDash: from n/a through 3.7.0.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Uncanny Owl Uncanny Toolkit for LearnDash uncanny-learndash-toolkit allows Stored XSS.This issue affects Uncanny Toolkit for LearnDash: from n/a through <= 3.7.0.1.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 16 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 15 Apr 2025 22:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Uncanny Owl Uncanny Toolkit for LearnDash allows Stored XSS. This issue affects Uncanny Toolkit for LearnDash: from n/a through 3.7.0.1.
Title WordPress Uncanny Toolkit for LearnDash plugin <= 3.7.0.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:10:57.729Z

Reserved: 2025-01-02T12:02:05.151Z

Link: CVE-2025-22268

cve-icon Vulnrichment

Updated: 2025-04-16T14:58:20.757Z

cve-icon NVD

Status : Deferred

Published: 2025-04-15T22:15:15.730

Modified: 2026-06-17T08:46:01.650

Link: CVE-2025-22268

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T10:30:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')