Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aleksandar Arsovski Google Org Chart google-org-chart allows Stored XSS.This issue affects Google Org Chart: from n/a through <= 1.0.1.
Published: 2025-01-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input during page generation enables a stored XSS flaw in the Google Org Chart WordPress plugin. A malicious actor can inject arbitrary scripts that execute when the page is rendered, potentially compromising the session, harvesting credentials, or defacing the site. The weakness is a classic input validation failure classified as CWE‑79.

Affected Systems

The Google Org Chart plugin developed by Aleksandar Arsovski is affected for all releases up to and including version 1.0.1. Any WordPress site that has installed any of these versions inherits the vulnerability.

Risk and Exploitability

The CVSS base score of 6.5 indicates moderate to high impact. The EPSS score of less than 1 % denotes a low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires that an attacker can inject payloads through the plugin’s input fields, which are persisted and later served to visitors, making the attack remote yet dependent on the site’s configuration and user roles.

Generated by OpenCVE AI on May 1, 2026 at 20:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Google Org Chart plugin to a version newer than 1.0.1 or remove the plugin entirely if it is no longer needed
  • Ensure that any fields accepting user input are properly sanitized or encoded before output to prevent stored script execution
  • Implement a Content Security Policy that restricts inline script execution to mitigate the impact if a payload is injected

Generated by OpenCVE AI on May 1, 2026 at 20:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3543 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aleksandar Arsovski Google Org Chart allows Stored XSS.This issue affects Google Org Chart: from n/a through 1.0.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aleksandar Arsovski Google Org Chart allows Stored XSS.This issue affects Google Org Chart: from n/a through 1.0.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aleksandar Arsovski Google Org Chart google-org-chart allows Stored XSS.This issue affects Google Org Chart: from n/a through <= 1.0.1.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 17 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aleksandar Arsovski Google Org Chart allows Stored XSS.This issue affects Google Org Chart: from n/a through 1.0.1.
Title WordPress Google Org Chart plugin <= 1.0.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:25.107Z

Reserved: 2025-01-16T11:32:22.914Z

Link: CVE-2025-23928

cve-icon Vulnrichment

Updated: 2025-01-17T17:15:19.620Z

cve-icon NVD

Status : Deferred

Published: 2025-01-16T21:15:34.663

Modified: 2026-06-17T08:57:44.813

Link: CVE-2025-23928

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T20:15:24Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')