Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eugenio Petulla’ imaGenius imagenius allows Stored XSS.This issue affects imaGenius: from n/a through <= 1.7.
Published: 2025-01-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a stored cross‑site scripting flaw in the imaGenius WordPress plugin. It allows HTML or script content supplied by a user to be stored and then rendered to other visitors without proper neutralization, as identified by CWE‑79. An attacker who can submit or modify site content can embed malicious code, which will execute in the browsers of any user who views the affected page, potentially leading to phishing, credential theft, or the execution of arbitrary commands. The likely attack vector is the plugin’s user‑generated content fields that are displayed without escaping.

Affected Systems

The vuln affects the WordPress imaGenius plugin, developed by Eugenio Petulla. All versions through 1.7, including earlier releases (no particular minimal version is specified), are affected. The plugin is used to manage image galleries and other media content within WordPress sites.

Risk and Exploitability

The CVSS base score is 6.5, indicating a moderate severity. EPSS is less than 1%, suggesting a very low probability of exploitation in the wild at this time, and the weakness is not listed in the CISA KEV catalog. Nonetheless, the flaw is exploitable via a web interface that accepts content, meaning administrators should treat it with caution. An attacker’s success depends on having write access to plugin data or a way to inject content into the site, but once the payload is stored, any visitor will be impacted.

Generated by OpenCVE AI on May 1, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the imaGenius plugin to the latest version or to any release greater than 1.7.
  • If no update is available, consider disabling or removing the plugin until a fix is released.
  • Scan the site database for any stored content that may contain malicious scripts and sanitize or delete it, ensuring all output is properly escaped.
  • Apply a strong Content Security Policy that restricts inline script execution to reduce potential impact.

Generated by OpenCVE AI on May 1, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3406 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eugenio Petullà imaGenius allows Stored XSS.This issue affects imaGenius: from n/a through 1.7.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eugenio Petulla&#8217; imaGenius imagenius allows Stored XSS.This issue affects imaGenius: from n/a through <= 1.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eugenio Petulla’ imaGenius imagenius allows Stored XSS.This issue affects imaGenius: from n/a through <= 1.7.

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eugenio Petullà imaGenius allows Stored XSS.This issue affects imaGenius: from n/a through 1.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eugenio Petulla&#8217; imaGenius imagenius allows Stored XSS.This issue affects imaGenius: from n/a through <= 1.7.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 17 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eugenio Petullà imaGenius allows Stored XSS.This issue affects imaGenius: from n/a through 1.7.
Title WordPress imaGenius Plugin <= 1.7 - Stored Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T22:40:44.398Z

Reserved: 2025-01-16T11:30:05.454Z

Link: CVE-2025-23772

cve-icon Vulnrichment

Updated: 2025-01-17T17:18:53.204Z

cve-icon NVD

Status : Deferred

Published: 2025-01-16T21:15:18.860

Modified: 2026-04-28T19:28:59.863

Link: CVE-2025-23772

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T21:00:08Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')