Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in metaphorcreations Metaphor Widgets allows Stored XSS. This issue affects Metaphor Widgets: from n/a through 2.4.
Published: 2025-01-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Metaphor Widgets, a WordPress plugin developed by Metaphor Creations, suffers from an improper neutralization of user input during page rendering. The vulnerability allows an attacker to embed malicious JavaScript that is stored in the plugin’s widget content and later served to site visitors. As a result, any user who loads the affected page can execute arbitrary scripts in the victim’s browser, enabling session hijacking, defacement, or phishing. This flaw relates to CWE‑79, causing a moderate risk of confidentiality and integrity compromise.

Affected Systems

All installations of the Metaphor Widgets plugin from initial releases through version 2.4 are affected. The plugin is distributed by Metaphor Creations and is commonly used in WordPress themes to display customizable widgets.

Risk and Exploitability

The CVSS v3.1 score is 6.5, indicating moderate severity. The EPSS score below 1 % suggests a low current exploit probability, and the vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw via the plugin’s administrative interface by inserting malicious script into widget content, or by posting the script through any user‑generated content path that the plugin does not sanitize. Successful exploitation requires that the attacker have editing rights to a widget or be able to inject content that persists in the database.

Generated by OpenCVE AI on May 1, 2026 at 20:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Metaphor Widgets to the latest version (≥ 2.5 if available) or apply any vendor patch.
  • Remove or disable widgets that contain untrusted or unverified content until a patch is applied.
  • Restrict permissions by ensuring only trusted administrators can edit widget content, or implement site‑wide output sanitization to strip disallowed scripts.
  • Apply a Web Application Firewall or security plugin that blocks reflected XSS payloads as an additional defense.

Generated by OpenCVE AI on May 1, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3446 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in metaphorcreations Metaphor Widgets allows Stored XSS. This issue affects Metaphor Widgets: from n/a through 2.4.
History

Tue, 28 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in metaphorcreations Metaphor Widgets mtphr-widgets allows Stored XSS.This issue affects Metaphor Widgets: from n/a through <= 2.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in metaphorcreations Metaphor Widgets allows Stored XSS. This issue affects Metaphor Widgets: from n/a through 2.4.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in metaphorcreations Metaphor Widgets allows Stored XSS. This issue affects Metaphor Widgets: from n/a through 2.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in metaphorcreations Metaphor Widgets mtphr-widgets allows Stored XSS.This issue affects Metaphor Widgets: from n/a through <= 2.4.
References

Thu, 16 Jan 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in metaphorcreations Metaphor Widgets allows Stored XSS. This issue affects Metaphor Widgets: from n/a through 2.4.
Title WordPress Metaphor Widgets plugin <= 2.4 - Stored Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:21.323Z

Reserved: 2025-01-16T11:30:44.311Z

Link: CVE-2025-23816

cve-icon Vulnrichment

Updated: 2025-01-16T20:57:46.243Z

cve-icon NVD

Status : Deferred

Published: 2025-01-16T21:15:22.407

Modified: 2026-04-28T19:29:02.463

Link: CVE-2025-23816

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T20:15:24Z

Weaknesses