Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kyle Maurer Display Post Meta display-post-meta allows Reflected XSS.This issue affects Display Post Meta: from n/a through <= 2.4.4.
Published: 2025-03-26
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Improper Neutralization of Input During Web Page Generation that allows reflected Cross‑Site Scripting. Unescaped input is incorporated into web pages, enabling an attacker to inject arbitrary JavaScript. This can compromise user credentials, deface content, or facilitate phishing, posing a substantial risk to confidentiality and integrity of site visitors. The weakness is classified as CWE‑79.

Affected Systems

WordPress plugin Display Post Meta by Kyle Maurer is affected. All released versions from the initial version through 2.4.4 are vulnerable. Updating to a later release, where the issue is fixed, is essential.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity. The EPSS score is below 1 %, suggesting a low probability of opportunistic exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the public web interface; an attacker can craft a link or input that triggers the reflected XSS when users visit the site. Exploitation requires a victim to open the maliciously crafted page, but the impact occurs entirely in the victim’s browser.

Generated by OpenCVE AI on May 1, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Display Post Meta to the latest available version (2.4.5 or newer) to remove the reflected XSS flaw.
  • If an upgrade is not possible, temporarily disable or delete the Display Post Meta plugin to eliminate the attack surface.
  • Ensure all meta field values are properly sanitized before rendering, and conduct a site‑wide audit for residual injection points.

Generated by OpenCVE AI on May 1, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8166 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kyle Maurer Display Post Meta allows Reflected XSS. This issue affects Display Post Meta: from n/a through 2.4.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kyle Maurer Display Post Meta allows Reflected XSS. This issue affects Display Post Meta: from n/a through 2.4.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kyle Maurer Display Post Meta display-post-meta allows Reflected XSS.This issue affects Display Post Meta: from n/a through <= 2.4.4.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 26 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 26 Mar 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kyle Maurer Display Post Meta allows Reflected XSS. This issue affects Display Post Meta: from n/a through 2.4.4.
Title WordPress Display Post Meta plugin <= 1.5- Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:39.038Z

Reserved: 2025-02-12T13:58:55.638Z

Link: CVE-2025-26575

cve-icon Vulnrichment

Updated: 2025-03-26T15:08:32.996Z

cve-icon NVD

Status : Deferred

Published: 2025-03-26T15:16:11.203

Modified: 2026-06-17T09:02:03.090

Link: CVE-2025-26575

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T13:30:17Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')