Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PORTONE 아임포트 결제버튼 생성 플러그인 iamport-payment allows Stored XSS.This issue affects 아임포트 결제버튼 생성 플러그인: from n/a through <= 1.1.19.
Published: 2025-01-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input that enables stored cross‑site scripting in the WordPress plugin. An attacker can embed malicious scripts in data stored by the plugin, which will execute in the browsers of visitors who view the affected content, allowing data theft, defacement, or session hijacking.

Affected Systems

The affected product is the WordPress plugin for generating Iamport payment buttons, sold under the name PORTONE 아임포트 결제버튼 생성 플러그인. Versions up to and including 1.1.19 are impacted; no version information beyond that is available in the advisory.

Risk and Exploitability

The CVSS v3.1 score is 6.5, indicating a moderate impact. The EPSS score is less than 1%, showing a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the plugin’s stored data fields; an attacker needs to inject a malicious payload that the plugin does not sanitize, which then runs when any visitor loads the page containing the stored value.

Generated by OpenCVE AI on May 1, 2026 at 22:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the iamport-payment plugin to the latest version that resolves the stored XSS issue.
  • If an update is not immediately available, remove or temporarily disable the plugin to prevent exploitation.
  • Configure a strong Content Security Policy that restricts inline scripts and disallows script execution from untrusted sources.

Generated by OpenCVE AI on May 1, 2026 at 22:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2808 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SIOT 아임포트 결제버튼 생성 플러그인 allows Stored XSS.This issue affects 아임포트 결제버튼 생성 플러그인: from n/a through 1.1.19.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SIOT 아임포트 결제버튼 생성 플러그인 allows Stored XSS.This issue affects 아임포트 결제버튼 생성 플러그인: from n/a through 1.1.19. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PORTONE 아임포트 결제버튼 생성 플러그인 iamport-payment allows Stored XSS.This issue affects 아임포트 결제버튼 생성 플러그인: from n/a through <= 1.1.19.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 07 Jan 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SIOT 아임포트 결제버튼 생성 플러그인 allows Stored XSS.This issue affects 아임포트 결제버튼 생성 플러그인: from n/a through 1.1.19.
Title WordPress 아임포트 결제버튼 생성 플러그인 plugin <= 1.1.19 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:00.835Z

Reserved: 2025-01-07T10:22:58.147Z

Link: CVE-2025-22530

cve-icon Vulnrichment

Updated: 2025-01-07T17:15:25.889Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T16:15:48.350

Modified: 2026-06-17T08:48:02.283

Link: CVE-2025-22530

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:15:27Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')