Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jim2212001 Spiderpowa Embed PDF spiderpowa-embed-pdf allows Stored XSS.This issue affects Spiderpowa Embed PDF: from n/a through <= 1.0.
Published: 2025-01-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper neutralization of user input during web page generation, allowing stored cross‑site scripting (XSS). A malicious actor can submit specially crafted content that the plugin saves and later renders without adequate sanitisation, resulting in the injection of arbitrary scripts that execute in the browsers of any users who view the affected page. This can lead to session hijacking, defacement, or theft of sensitive information.

Affected Systems

The issue affects the WordPress Spiderpowa Embed PDF plugin from its first release through version 1.0. WordPress sites that have installed any version of this plugin are vulnerable unless patched or removed.

Risk and Exploitability

The CVSS score of 6.5 classifies the flaw as moderate, but the EPSS score of less than 1% indicates a low probability of exploitation under current conditions. The vulnerability is not listed in the CISA KEV catalogue. The likely attack vector is through normal plugin‑provided input fields where an attacker with sufficient privileges (e.g., administrator or contributor) can store malicious payloads that will later be rendered to all site visitors.

Generated by OpenCVE AI on May 1, 2026 at 20:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Spiderpowa Embed PDF plugin to the newest version that contains the XSS fix.
  • If an update is not available, uninstall or disable the plugin entirely to eliminate the storage of malicious content.
  • Consider restricting role permissions for adding content via this plugin to trusted administrators only, and review existing content for injected scripts.

Generated by OpenCVE AI on May 1, 2026 at 20:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3439 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jimmy Hu Spiderpowa Embed PDF allows Stored XSS.This issue affects Spiderpowa Embed PDF: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jimmy Hu Spiderpowa Embed PDF allows Stored XSS.This issue affects Spiderpowa Embed PDF: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jim2212001 Spiderpowa Embed PDF spiderpowa-embed-pdf allows Stored XSS.This issue affects Spiderpowa Embed PDF: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 17 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jimmy Hu Spiderpowa Embed PDF allows Stored XSS.This issue affects Spiderpowa Embed PDF: from n/a through 1.0.
Title WordPress Spiderpowa Embed PDF plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T22:49:22.919Z

Reserved: 2025-01-16T11:30:28.608Z

Link: CVE-2025-23807

cve-icon Vulnrichment

Updated: 2025-01-17T17:18:09.472Z

cve-icon NVD

Status : Deferred

Published: 2025-01-16T21:15:21.800

Modified: 2026-06-17T08:57:21.810

Link: CVE-2025-23807

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T20:45:25Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')