Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mind Doodle Mind Doodle Visual Sitemaps & Tasks mind-doodle-sitemap allows Stored XSS.This issue affects Mind Doodle Visual Sitemaps & Tasks: from n/a through <= 1.6.
Published: 2025-01-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mind Doodle Visual Sitemaps & Tasks allows attackers to store arbitrary JavaScript in the plugin’s data repository. When an affected visitor loads a page that renders this data, the malicious code runs in the user’s browser. This Stored XSS vulnerability can be used to steal session cookies, manipulate page content, and perform further client‑side attacks. The weakness is classified as CWE‑79.

Affected Systems

The vulnerability exists in Mind Doodle Visual Sitemaps & Tasks versions from initial releases through and including 1.6. Users of any release numbered 1.6 or lower are potentially affected.

Risk and Exploitability

With a CVSS score of 6.5, the problem is of moderate severity. The EPSS score of less than 1% indicates the exploitation probability is low, and the vulnerability is not listed in CISA's KEV catalog. Attackers would need the ability to submit data to the plugin—most likely via the admin interface to create or edit map or task entries—to embed the malicious payload. Once embedded, the code is served to all site visitors, enabling widespread client‑side compromise.

Generated by OpenCVE AI on May 1, 2026 at 22:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mind Doodle Visual Sitemaps & Tasks to the latest available version, which removes the stored XSS flaw.
  • If an upgrade is not immediately possible, restrict access to the plugin’s input forms to authenticated administrators and ensure any submitted data is validated and sanitized before storage.
  • Deploy a web application firewall rule that blocks or sanitizes typical XSS payloads on input to the plugin’s fields.

Generated by OpenCVE AI on May 1, 2026 at 22:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2822 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mind Doodle Mind Doodle Visual Sitemaps & Tasks allows Stored XSS.This issue affects Mind Doodle Visual Sitemaps & Tasks: from n/a through 1.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mind Doodle Mind Doodle Visual Sitemaps & Tasks allows Stored XSS.This issue affects Mind Doodle Visual Sitemaps & Tasks: from n/a through 1.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mind Doodle Mind Doodle Visual Sitemaps & Tasks mind-doodle-sitemap allows Stored XSS.This issue affects Mind Doodle Visual Sitemaps & Tasks: from n/a through <= 1.6.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 07 Jan 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mind Doodle Mind Doodle Visual Sitemaps & Tasks allows Stored XSS.This issue affects Mind Doodle Visual Sitemaps & Tasks: from n/a through 1.6.
Title WordPress Mind Doodle Visual Sitemaps & Tasks plugin <= 1.6 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:01.210Z

Reserved: 2025-01-07T10:23:07.229Z

Link: CVE-2025-22544

cve-icon Vulnrichment

Updated: 2025-01-07T16:12:31.464Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T16:15:50.003

Modified: 2026-06-17T08:48:09.060

Link: CVE-2025-22544

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:30:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')