Description
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in listamester Listamester listamester allows Stored XSS.This issue affects Listamester: from n/a through <= 2.3.4.
Published: 2025-01-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of script‑related HTML tags allows malicious code to be stored in the Listamester plugin and delivered to other visitors when they view the affected content. The stored payload runs in the victim’s browser, enabling token theft, defacement, or redirection to phishing sites. The likely attack vector is submission or modification of content through the plugin’s input interfaces, which then persists the payload in the database.

Affected Systems

All installations of the Listamester WordPress plugin version 2.3.4 and earlier are affected. Any WordPress site that has the plugin enabled and permits user‑generated content via Listamester is vulnerable, regardless of theme or other plugins.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests that widespread exploitation is unlikely but still possible. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attacker would need to submit or modify content through the plugin’s input interfaces; the required privileges are not specified but may be limited to users with access to those forms. Once stored, the malicious script is executed for every visitor who loads the compromised content, providing broad impact on sites that rely on Listamester for content creation.

Generated by OpenCVE AI on May 2, 2026 at 05:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Listamester plugin to version 2.3.5 or later, which removes the XSS flaw.
  • If upgrading is not possible, disable or remove the Listamester plugin to eliminate the attack surface.
  • If disabling is not feasible, restrict the plugin’s input forms to trusted administrators or employ a WordPress security plugin that sanitizes output and blocks XSS payloads.

Generated by OpenCVE AI on May 2, 2026 at 05:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3872 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Listamester Listamester allows Stored XSS. This issue affects Listamester: from n/a through 2.3.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Listamester Listamester allows Stored XSS. This issue affects Listamester: from n/a through 2.3.4. Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in listamester Listamester listamester allows Stored XSS.This issue affects Listamester: from n/a through <= 2.3.4.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 24 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Jan 2025 17:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Listamester Listamester allows Stored XSS. This issue affects Listamester: from n/a through 2.3.4.
Title WordPress Listamester Plugin <= 2.3.4 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-80
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:31.716Z

Reserved: 2025-01-23T14:52:05.567Z

Link: CVE-2025-24678

cve-icon Vulnrichment

Updated: 2025-01-24T18:45:48.541Z

cve-icon NVD

Status : Deferred

Published: 2025-01-24T18:15:41.477

Modified: 2026-04-23T15:25:16.247

Link: CVE-2025-24678

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T05:30:26Z

Weaknesses