Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Denis Cherniatev ShMapper by Teplitsa shmapper-by-teplitsa allows Stored XSS.This issue affects ShMapper by Teplitsa: from n/a through <= 1.5.0.
Published: 2025-01-24
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ShMapper by Teplitsa WordPress plugin contains a stored cross‑site scripting (XSS) flaw caused by improper neutralization of input during web page generation. Input provided through the plugin can be persisted in the database and later rendered to any site visitor, allowing the execution of arbitrary JavaScript within that visitor’s browser. This can lead to session hijacking, data theft, or site defacement. The flaw is classified as CWE‑79.

Affected Systems

All installations of the ShMapper by Teplitsa plugin with version numbers up through and including 1.5.0 are vulnerable. The responsible vendor is Denis Cherniatev.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. The EPSS score of less than 1% suggests a low likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation likely requires the ability to submit or modify content via the plugin’s input fields, which are then stored and rendered to site visitors. The description does not specify the exact privilege level required, so it is uncertain whether an attacker needs administrative, editorial, or lower‑level WordPress access to exploit the flaw, but the vulnerability itself benefits anyone who can read the affected content.

Generated by OpenCVE AI on May 2, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ShMapper by Teplitsa to a version newer than 1.5.0 or apply an official patch if available.
  • If an upgrade is not yet possible, temporarily disable or uninstall the plugin until a fix is released.
  • Audit existing content managed by the plugin and remove any embedded scripts, or use a content filtering plugin that strips disallowed HTML tags and attributes.

Generated by OpenCVE AI on May 2, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3868 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Teplitsa. Technologies for Social Good ShMapper by Teplitsa allows Stored XSS. This issue affects ShMapper by Teplitsa: from n/a through 1.5.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Teplitsa. Technologies for Social Good ShMapper by Teplitsa allows Stored XSS. This issue affects ShMapper by Teplitsa: from n/a through 1.5.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Denis Cherniatev ShMapper by Teplitsa shmapper-by-teplitsa allows Stored XSS.This issue affects ShMapper by Teplitsa: from n/a through <= 1.5.0.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Fri, 24 Jan 2025 17:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Teplitsa. Technologies for Social Good ShMapper by Teplitsa allows Stored XSS. This issue affects ShMapper by Teplitsa: from n/a through 1.5.0.
Title WordPress ShMapper by Teplitsa Plugin <= 1.5.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:31.716Z

Reserved: 2025-01-23T14:52:05.566Z

Link: CVE-2025-24674

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2025-01-24T18:15:41.190

Modified: 2026-06-17T08:59:25.163

Link: CVE-2025-24674

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T05:30:26Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')