Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in burria Laika Pedigree Tree laika-pedigree-tree allows Stored XSS.This issue affects Laika Pedigree Tree: from n/a through <= 1.4.
Published: 2025-01-07
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Laika Pedigree Tree plugin contains an improper neutralization of input during web page generation flaw that allows an attacker to store a malicious script. When a user views a page that includes this persisted script, the browser will execute it in the context of the site, potentially allowing account hijacking, data theft, or redirection. This is a stored XSS (CWE‑79) vulnerability.

Affected Systems

The vulnerability exists in the WordPress plugin Laika Pedigree Tree (burria) version 1.4 and all earlier releases. Any WordPress site that has this plugin installed and runs a version up to and including 1.4 is affected.

Risk and Exploitability

The CVSS score is 7.1, classifying the flaw as high severity. However, the EPSS score is below 1%, indicating that exploitation attempts are rare at present, and the flaw has not been listed in CISA KEV. The likely attack vector requires the attacker to gain access to the plugin’s administrative interfaces or perform a CSRF attack that submits malicious input, which the plugin then stores and later renders. Because the payload is persistent, any user who subsequently views the affected page will run the injected script.

Generated by OpenCVE AI on May 1, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Laika Pedigree Tree plugin to the latest version that removes the stored XSS flaw
  • If an update is unavailable, temporarily disable or delete the plugin to eliminate the attack surface
  • Implement a web application firewall or User‑Agent filtering to block malicious scripts from being stored or rendered
  • Adopt general XSS mitigations such as strict input validation, output encoding, and Content Security Policy headers

Generated by OpenCVE AI on May 1, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2868 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Burria Laika Pedigree Tree allows Stored XSS.This issue affects Laika Pedigree Tree: from n/a through 1.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Burria Laika Pedigree Tree allows Stored XSS.This issue affects Laika Pedigree Tree: from n/a through 1.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in burria Laika Pedigree Tree laika-pedigree-tree allows Stored XSS.This issue affects Laika Pedigree Tree: from n/a through <= 1.4.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 08 Jan 2025 08:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Burria Laika Pedigree Tree allows Stored XSS.This issue affects Laika Pedigree Tree: from n/a through 1.4.
Title WordPress Laika Pedigree Tree plugin <= 1.4 - CSRF to Stored XSS vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:02.454Z

Reserved: 2025-01-07T10:23:51.456Z

Link: CVE-2025-22593

cve-icon Vulnrichment

Updated: 2025-01-07T16:56:32.892Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T16:15:55.627

Modified: 2026-06-17T08:48:32.560

Link: CVE-2025-22593

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:30:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')