Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Daniel Bakovic WPAchievements Free wpachievements-free allows Stored XSS.This issue affects WPAchievements Free: from n/a through <= 1.2.0.
Published: 2025-01-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WPAchievements Free plugin contains an improper neutralization of input during web page generation, enabling stored cross‑site scripting attacks. An attacker can inject malicious script code that is persisted and served to any user who views the affected content. This can lead to theft of session cookies, defacement of user interfaces, or execution of further malicious actions in the victim’s browser.

Affected Systems

The vulnerability is present in the Daniel Bakovic WPAchievements Free plugin for WordPress versions up to and including 1.2.0. Systems running WordPress sites that have this plugin installed, especially those with administrative access or content creation permissions, are at risk. No specific operating system or additional components are cited.

Risk and Exploitability

The CVSS score of 6.5 categorizes the issue as moderate severity, while the EPSS score of less than 1% indicates a low probability of exploitation. It is not listed in the CISA KEV catalog. The likely attack vector is through compromised or poorly secured administrative accounts that can add or edit plugin content, allowing an attacker to persist malicious payloads in the site’s output.

Generated by OpenCVE AI on May 1, 2026 at 22:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WPAchievements Free to a version newer than 1.2.0.
  • If an upgrade is not immediately available, disable the plugin until a patched release is installed.
  • Review all existing content (posts, pages, and plugin-generated output) for injected scripts and remove any malicious code discovered.

Generated by OpenCVE AI on May 1, 2026 at 22:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2759 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Powerfusion WPAchievements Free allows Stored XSS.This issue affects WPAchievements Free: from n/a through 1.2.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Powerfusion WPAchievements Free allows Stored XSS.This issue affects WPAchievements Free: from n/a through 1.2.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Daniel Bakovic WPAchievements Free wpachievements-free allows Stored XSS.This issue affects WPAchievements Free: from n/a through <= 1.2.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 07 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Powerfusion WPAchievements Free allows Stored XSS.This issue affects WPAchievements Free: from n/a through 1.2.0.
Title WordPress WPAchievements Free Plugin <= 1.2.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:00.340Z

Reserved: 2025-01-03T13:16:57.347Z

Link: CVE-2025-22362

cve-icon Vulnrichment

Updated: 2025-01-07T15:51:58.805Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T11:15:19.453

Modified: 2026-06-17T08:46:47.070

Link: CVE-2025-22362

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:45:26Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')