Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sindhi WordPress Data Guard wordpress-data-guards allows Stored XSS.This issue affects WordPress Data Guard: from n/a through <= 8.
Published: 2025-01-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to inject malicious JavaScript that is permanently stored within the WordPress Data Guard plugin. When a user subsequently views content, the browser executes the injected script, which can lead to credential theft, defacement, or unauthorized actions on behalf of the victim. This is a typical Cross‑Site Scripting weakness (CWE‑79) that compromises user confidentiality and trust in the site.

Affected Systems

WordPress Data Guard plugin versions up to and including 8 are affected. The flaw exists in the WordPress Data Guard data‑guard functionality that is accessible to website administrators and users with any capacity to submit content through the plugin.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact potential, while the EPSS score of less than 1 % suggests a low probability of exploitation at the time of analysis. The flaw is not listed in the CISA KEV catalogue, implying no known widespread exploitation. The likely attack vector is a CSRF request that writes malicious payloads, requiring the victim to be logged into the site or possessing sufficient user privileges. Given the stored nature of the XSS, all users who view the affected content may be impacted.

Generated by OpenCVE AI on May 2, 2026 at 06:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress Data Guard plugin to a version newer than 8, if one is available.
  • If no patch exists, remove the plugin entirely to eliminate the vulnerable code path.
  • As a temporary measure, restrict any content submission or configuration abilities of the plugin to administrator users only and ensure that any user input is properly sanitized and escaped.

Generated by OpenCVE AI on May 2, 2026 at 06:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3458 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OriginalTips.com WordPress Data Guard allows Stored XSS.This issue affects WordPress Data Guard: from n/a through 8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OriginalTips.com WordPress Data Guard allows Stored XSS.This issue affects WordPress Data Guard: from n/a through 8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sindhi WordPress Data Guard wordpress-data-guards allows Stored XSS.This issue affects WordPress Data Guard: from n/a through <= 8.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 17 Jan 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OriginalTips.com WordPress Data Guard allows Stored XSS.This issue affects WordPress Data Guard: from n/a through 8.
Title WordPress WordPress Data Guard [Website Security] plugin <= 8 - CSRF to Stored XSS vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T22:42:46.751Z

Reserved: 2025-01-16T11:30:51.097Z

Link: CVE-2025-23828

cve-icon Vulnrichment

Updated: 2025-01-17T17:50:07.172Z

cve-icon NVD

Status : Deferred

Published: 2025-01-16T21:15:24.047

Modified: 2026-06-17T08:57:34.750

Link: CVE-2025-23828

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T06:15:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')