Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pddring Create with Code create-with-code allows DOM-Based XSS.This issue affects Create with Code: from n/a through <= 1.4.
Published: 2025-01-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation enables an attacker to inject malicious script into a victim browser. The flaw is a DOM‑based XSS that occurs when the Create with Code plugin processes user input without proper sanitization. If exploited, an attacker can execute arbitrary JavaScript in the context of the site, potentially hijacking sessions, defacing content, or directing users to malicious resources. The weakness is identified as CWE‑79.

Affected Systems

The vulnerability affects the WordPress Create with Code plugin (pddring:Create with Code) versions from unpublished releases through 1.4. Site administrators running these versions should verify whether the plugin is installed and assess its version.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score is less than 1 %, suggesting that exploitation is currently unlikely but possible. The issue is not listed in the CISA KEV catalog. Exploitation would require a victim to visit or interact with a page that includes the vulnerable input field; an attacker can then embed malicious script that is executed in the victim's browser context.

Generated by OpenCVE AI on May 1, 2026 at 18:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Create with Code plugin to the latest release that fixes the XSS issue; if version 1.4 is the latest, check for any available updates or releases that address the vulnerability.
  • If an immediate upgrade is not possible, consider deactivating or removing the plugin until a patched version is available.
  • Implement input validation or a web application firewall rule that blocks or sanitizes script payloads for the parameters processed by the plugin.
  • Monitor site traffic for suspicious scripts or user‑agent anomalies that might indicate exploitation attempts.

Generated by OpenCVE AI on May 1, 2026 at 18:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3838 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pete Dring Create with Code allows DOM-Based XSS. This issue affects Create with Code: from n/a through 1.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pete Dring Create with Code allows DOM-Based XSS. This issue affects Create with Code: from n/a through 1.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pddring Create with Code create-with-code allows DOM-Based XSS.This issue affects Create with Code: from n/a through <= 1.4.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 24 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Jan 2025 17:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pete Dring Create with Code allows DOM-Based XSS. This issue affects Create with Code: from n/a through 1.4.
Title WordPress Create with Code plugin <= 1.4 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:30.779Z

Reserved: 2025-01-23T14:51:34.072Z

Link: CVE-2025-24638

cve-icon Vulnrichment

Updated: 2025-01-24T18:46:48.370Z

cve-icon NVD

Status : Deferred

Published: 2025-01-24T18:15:38.670

Modified: 2026-06-17T08:59:21.613

Link: CVE-2025-24638

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T19:00:08Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')