Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins Icon List Block icon-list-block allows Stored XSS.This issue affects Icon List Block: from n/a through <= 1.1.3.
Published: 2025-02-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows malicious JavaScript to be stored in icon list items and served to any visitor who views the page. This stored cross-site scripting (XSS) flaw could enable arbitrary script execution in user browsers.

Affected Systems

All releases of the Icon List Block WordPress plugin through version 1.1.3 are affected; administrators using these versions must treat the plugin as vulnerable.

Risk and Exploitability

With a CVSS base score of 6.5 the vulnerability presents moderate risk, and its EPSS score of < 1 % indicates a low exploitation probability; it is not listed in CISA’s KEV catalog. The CVE description does not specify the privilege level required to inject content; however, once malicious code is stored it executes in the browsers of all visitors who load the affected content.

Generated by OpenCVE AI on May 2, 2026 at 09:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Icon List Block plugin to a release newer than 1.1.3 where input sanitisation has been fixed.
  • Disable or remove the plugin from any sites that cannot be upgraded immediately, and delete all stored list entries that may contain malicious content.
  • Implement a strong content‑security policy that disallows inline scripts and restricts executable code origins to mitigate any residual XSS vectors.

Generated by OpenCVE AI on May 2, 2026 at 09:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5436 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins Icon List Block allows Stored XSS. This issue affects Icon List Block: from n/a through 1.1.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins Icon List Block allows Stored XSS. This issue affects Icon List Block: from n/a through 1.1.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins Icon List Block icon-list-block allows Stored XSS.This issue affects Icon List Block: from n/a through <= 1.1.3.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 25 Feb 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 25 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins Icon List Block allows Stored XSS. This issue affects Icon List Block: from n/a through 1.1.3.
Title WordPress Icon List Block plugin <= 1.1.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:44.452Z

Reserved: 2025-02-17T11:51:18.742Z

Link: CVE-2025-26937

cve-icon Vulnrichment

Updated: 2025-02-25T15:06:50.494Z

cve-icon NVD

Status : Deferred

Published: 2025-02-25T15:15:27.607

Modified: 2026-06-17T09:02:38.050

Link: CVE-2025-26937

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T09:15:26Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')