Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ben Huson List Pages at Depth list-pages-at-depth allows Stored XSS.This issue affects List Pages at Depth: from n/a through <= 1.5.
Published: 2025-01-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during page generation in Ben Huson’s List Pages at Depth WordPress plugin allows attackers to store malicious markup in the site’s database. When a user visits a page that renders the affected plugin content, the stored code is delivered and executed in the user’s browser, constituting a stored XSS vulnerability with a CVSS base score of 6.5. This flaw can lead to the compromise of user integrity and the potential defacement of site content.

Affected Systems

Ben Huson’s List Pages at Depth plugin for WordPress; all installations from the earliest release up through version 1.5 are vulnerable.

Risk and Exploitability

The EPSS score is below 1% and the vulnerability is not listed in CISA’s KEV catalogue, indicating a very low but non‑zero exploitation probability. Based on the description, it is inferred that exploitation would require an attacker to inject and store malicious input, typically via an administrative or content‑creation interface, after which the payload is served to any user who views a page displaying the affected list.

Generated by OpenCVE AI on May 2, 2026 at 11:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the List Pages at Depth plugin to a version newer than 1.5 that contains the XSS fix.
  • If an immediate update is not possible, disable or remove the plugin from the WordPress installation to eliminate the attack surface.
  • Implement a site‑wide content‑security‑policy that restricts script execution to trusted sources and verify that any user‑generated content is properly sanitized before rendering.

Generated by OpenCVE AI on May 2, 2026 at 11:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2797 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ben Huson List Pages at Depth allows Stored XSS.This issue affects List Pages at Depth: from n/a through 1.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ben Huson List Pages at Depth allows Stored XSS.This issue affects List Pages at Depth: from n/a through 1.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ben Huson List Pages at Depth list-pages-at-depth allows Stored XSS.This issue affects List Pages at Depth: from n/a through <= 1.5.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 07 Jan 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ben Huson List Pages at Depth allows Stored XSS.This issue affects List Pages at Depth: from n/a through 1.5.
Title WordPress List Pages at Depth plugin <= 1.5 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:00.739Z

Reserved: 2025-01-07T10:22:48.985Z

Link: CVE-2025-22517

cve-icon Vulnrichment

Updated: 2025-01-07T17:28:23.257Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T16:15:46.820

Modified: 2026-06-17T08:47:55.997

Link: CVE-2025-22517

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T11:30:41Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')