Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in falldeaf WP ViewSTL wp-viewstl allows DOM-Based XSS.This issue affects WP ViewSTL: from n/a through <= 1.0.
Published: 2025-01-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a DOM‑based Cross‑Site Scripting flaw that allows an attacker to inject arbitrary JavaScript into pages generated by the WP ViewSTL plugin. The flaw arises from the plugin’s failure to properly neutralise user‑supplied input before rendering it in the browser. A successful exploitation would let an attacker execute scripts in the context of the victim’s browser, potentially leading to session hijacking, defacement, or theft of sensitive information stored in the user’s session.

Affected Systems

The issue affects the falldeaf WP ViewSTL WordPress plugin with versions up to and including 1.0. Any WordPress site that has a vulnerable instance of this plugin installed is at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% shows that the likelihood of exploitation is very low at present. The vulnerability is not listed in CISA’s KEV catalog. Because the flaw is DOM‑based, the attack vector is presumed to be a crafted URL or form input that the plugin does not sanitise before rendering on the page. No additional prerequisites are noted, making the exploit potentially straightforward for a sufficiently motivated attacker.

Generated by OpenCVE AI on May 1, 2026 at 21:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP ViewSTL to the latest version that addresses the XSS flaw
  • If an upgrade is not immediately possible, consider disabling or removing the plugin from the site
  • Apply input sanitisation to any parameters handled by the plugin, such as using WordPress’s wp_kses or esc_html functions to escape output

Generated by OpenCVE AI on May 1, 2026 at 21:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2957 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in falldeaf WP ViewSTL allows DOM-Based XSS.This issue affects WP ViewSTL: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in falldeaf WP ViewSTL allows DOM-Based XSS.This issue affects WP ViewSTL: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in falldeaf WP ViewSTL wp-viewstl allows DOM-Based XSS.This issue affects WP ViewSTL: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 15 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in falldeaf WP ViewSTL allows DOM-Based XSS.This issue affects WP ViewSTL: from n/a through 1.0.
Title WordPress WP ViewSTL plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:06.244Z

Reserved: 2025-01-07T21:04:23.274Z

Link: CVE-2025-22742

cve-icon Vulnrichment

Updated: 2025-01-15T17:09:51.533Z

cve-icon NVD

Status : Deferred

Published: 2025-01-15T16:15:36.350

Modified: 2026-04-23T15:23:32.097

Link: CVE-2025-22742

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T21:30:15Z

Weaknesses