Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tamara Solution Tamara Checkout tamara-checkout allows Stored XSS.This issue affects Tamara Checkout: from n/a through < 1.9.9.1.
Published: 2025-01-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the Tamara Checkout WordPress plugin, versions earlier than 1.9.9.1. It allows an attacker to embed malicious JavaScript that is permanently stored in the plugin’s data and executed in the browser of any user who views the affected content. The primary impact is the execution of arbitrary scripts in the victim’s browser. The weakness is classified as CWE-79.

Affected Systems

The affected product is the Tamara Checkout plugin for WordPress. Versions from the earliest available release up to, but not including, 1.9.9.1 are vulnerable. No other vendors or products are listed.

Risk and Exploitability

The CVSS base score is 6.5, indicating a medium severity. The EPSS score is less than 1%, suggesting a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the plugin’s input fields that persist data, and an attacker could exploit it by submitting crafted content that is stored and later rendered.

Generated by OpenCVE AI on May 2, 2026 at 05:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Tamara Checkout plugin to version 1.9.9.1 or later.
  • If an upgrade cannot be performed immediately, configure the site to escape all user input before rendering it in the browser, or install a security plugin that blocks XSS injections.
  • Restrict administrative access to trusted users and audit any user‑generated content for malicious scripts.

Generated by OpenCVE AI on May 2, 2026 at 05:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3591 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dev@tamara.co Tamara Checkout allows Stored XSS. This issue affects Tamara Checkout: from n/a through 1.9.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dev@tamara.co Tamara Checkout allows Stored XSS. This issue affects Tamara Checkout: from n/a through 1.9.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tamara Solution Tamara Checkout tamara-checkout allows Stored XSS.This issue affects Tamara Checkout: from n/a through < 1.9.9.1.
Title WordPress Tamara Checkout plugin <= 1.9.8 - Cross Site Scripting (XSS) vulnerability WordPress Tamara Checkout plugin < 1.9.9.1 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 12 Feb 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Jan 2025 14:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dev@tamara.co Tamara Checkout allows Stored XSS. This issue affects Tamara Checkout: from n/a through 1.9.8.
Title WordPress Tamara Checkout plugin <= 1.9.8 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T23:44:13.755Z

Reserved: 2025-01-16T11:33:30.631Z

Link: CVE-2025-23997

cve-icon Vulnrichment

Updated: 2025-02-12T20:27:53.009Z

cve-icon NVD

Status : Deferred

Published: 2025-01-21T14:15:13.230

Modified: 2026-06-17T08:57:51.613

Link: CVE-2025-23997

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T06:00:13Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')