Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FolioVision Filled In filled-in allows Stored XSS.This issue affects Filled In: from n/a through <= 1.9.2.
Published: 2025-03-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The FolioVision Filled In plugin for WordPress contains an improper neutralization of input during web page generation, resulting in stored cross‑site scripting. When malicious input is submitted it is saved to the database without adequate escaping, allowing an attacker that injects scripts through the plugin to have those scripts executed whenever any user views the affected content. This type of vulnerability can lead to session hijacking, cookie theft, defacement, or delivery of further malware. The weakness corresponds to CWE‑79.

Affected Systems

The vulnerability is present in all releases of the Filled In plugin from the earliest version through 1.9.2. The plugin is developed by FolioVision and is typically used within WordPress sites. Any site that has the plugin installed at a version 1.9.2 or earlier is at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, but the EPSS score of less than 1 % suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Operating through a vector that requires the attacker to deliver malicious content that is stored by the plugin—as could be done via a cross‑site request forgery attack or by exploiting administrator privileges—the stored XSS can affect any user who views the compromised content. No public exploit details are available, so the risk remains at a moderate‑to‑high level until a patch is applied.

Generated by OpenCVE AI on May 1, 2026 at 12:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Filled In plugin to a version newer than 1.9.2, or uninstall the plugin if it is not needed.
  • Restrict access to the plugin’s content editing features to trusted administrators and enable WordPress role‑based permissions to prevent unauthenticated or low‑privilege users from injecting content.
  • Deploy a web application firewall or input‑sanitization rule that blocks or encodes script tags before data is stored in the database, as a temporary measure until an official fix is available.

Generated by OpenCVE AI on May 1, 2026 at 12:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14961 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Foliovision Filled In allows Stored XSS.This issue affects Filled In: from n/a through 1.9.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Foliovision Filled In allows Stored XSS.This issue affects Filled In: from n/a through 1.9.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FolioVision Filled In filled-in allows Stored XSS.This issue affects Filled In: from n/a through <= 1.9.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 27 Mar 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 15:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Foliovision Filled In allows Stored XSS.This issue affects Filled In: from n/a through 1.9.2.
Title WordPress Filled In Plugin <= 1.9.2 - CSRF to Stored XSS vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:02.527Z

Reserved: 2025-01-07T21:02:24.869Z

Link: CVE-2025-22628

cve-icon Vulnrichment

Updated: 2025-03-27T16:13:44.429Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T16:15:28.130

Modified: 2026-06-17T08:48:48.587

Link: CVE-2025-22628

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T12:45:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')