Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric McNiece EMC2 Alert Boxes allows Stored XSS.This issue affects EMC2 Alert Boxes: from n/a through 1.3.
Published: 2025-01-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper neutralization of input during web page generation causes a stored cross‑site scripting flaw that lets an attacker inject malicious scripts which run in the browser context of any site visitor. The vulnerability falls under CWE‑79 and could be used to deface content, steal cookies or credentials, and redirect users to malicious sites.

Affected Systems

The EMC2 Alert Boxes plugin for WordPress, developed by Eric McNiece, is affected in all releases from the earliest available version through 1.3. Any WordPress installation using the plugin in these versions is susceptible.

Risk and Exploitability

The CVSS base score is 6.5 and the EPSS score is less than 1%, indicating a moderate severity and a low probability of public exploitation. It is not listed in the CISA KEV catalog. The likely attack path involves a privileged user or an attacker who gains the ability to submit content via the plugin’s alert box editor; from there, malicious JavaScript can be stored and later executed when other visitors view the alert box.

Generated by OpenCVE AI on May 1, 2026 at 22:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the EMC2 Alert Boxes plugin to the latest released version (at least 1.4 if available).
  • If no updated version is available, disable or uninstall the plugin from the WordPress installation.
  • Configure a Content Security Policy that blocks inline scripts or restricts script execution from the plugin’s output.

Generated by OpenCVE AI on May 1, 2026 at 22:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2762 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric McNiece EMC2 Alert Boxes allows Stored XSS.This issue affects EMC2 Alert Boxes: from n/a through 1.3.
History

Tue, 28 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric McNiece EMC2 Alert Boxes emc2-alert-boxes allows Stored XSS.This issue affects EMC2 Alert Boxes: from n/a through <= 1.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric McNiece EMC2 Alert Boxes allows Stored XSS.This issue affects EMC2 Alert Boxes: from n/a through 1.3.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric McNiece EMC2 Alert Boxes allows Stored XSS.This issue affects EMC2 Alert Boxes: from n/a through 1.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric McNiece EMC2 Alert Boxes emc2-alert-boxes allows Stored XSS.This issue affects EMC2 Alert Boxes: from n/a through <= 1.3.
References

Tue, 07 Jan 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 17:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eric McNiece EMC2 Alert Boxes allows Stored XSS.This issue affects EMC2 Alert Boxes: from n/a through 1.3.
Title WordPress EMC2 Alert Boxes Plugin <= 1.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:00.272Z

Reserved: 2025-01-03T13:16:57.348Z

Link: CVE-2025-22365

cve-icon Vulnrichment

Updated: 2025-01-07T17:54:25.543Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T17:15:33.510

Modified: 2026-04-28T19:28:17.903

Link: CVE-2025-22365

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:15:27Z

Weaknesses