Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Typing Text typing-text allows Stored XSS.This issue affects Typing Text: from n/a through <= 1.2.7.
Published: 2025-01-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper neutralization of input during web page generation, a classic input validation flaw identified as CWE-79, which permits attackers to embed malicious scripts into the Typing Text plugin’s data store. When a page that renders this stored data is accessed, the embedded script executes in the visitor’s browser, allowing the attacker to run arbitrary client‑side code.

Affected Systems

WPDeveloper’s Typing Text plugin versions 1.2.7 and all earlier releases on WordPress sites are affected. Any WordPress installation that deploys these plugin versions exposes the stored‑XSS vulnerability.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% signals a very low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, so no widespread exploitation has been documented. Attackers must supply or influence content that is stored by the plugin; once injected, the malicious script is executed whenever a page rendering that data is viewed.

Generated by OpenCVE AI on May 2, 2026 at 11:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Typing Text plugin to a version newer than 1.2.7, confirming vendor documentation that the XSS flaw is fixed.
  • If upgrading cannot be performed immediately, deactivate or delete the Typing Text plugin to stop new input being accepted.
  • Apply a content security policy that restricts script sources on the site to mitigate potential execution of stored scripts.

Generated by OpenCVE AI on May 2, 2026 at 11:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2715 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Typing Text allows Stored XSS.This issue affects Typing Text: from n/a through 1.2.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Typing Text allows Stored XSS.This issue affects Typing Text: from n/a through 1.2.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Typing Text typing-text allows Stored XSS.This issue affects Typing Text: from n/a through <= 1.2.7.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 23 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wpdeveloper:typing_text:*:*:*:*:*:wordpress:*:*

Tue, 07 Jan 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Typing Text allows Stored XSS.This issue affects Typing Text: from n/a through 1.2.7.
Title WordPress Typing Text plugin <= 1.2.7 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
Wpdeveloper Typing Text
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:10:59.226Z

Reserved: 2025-01-03T13:16:10.261Z

Link: CVE-2025-22315

cve-icon Vulnrichment

Updated: 2025-01-07T15:00:00.711Z

cve-icon NVD

Status : Modified

Published: 2025-01-07T11:15:15.627

Modified: 2026-04-23T15:23:00.020

Link: CVE-2025-22315

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T12:00:14Z

Weaknesses