Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kush Sharma Kush Micro News kush-micro-news allows Stored XSS.This issue affects Kush Micro News: from n/a through <= 1.6.7.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation in the Kush Micro News plugin allows stored XSS. An attacker who can inject malicious JavaScript into content managed by the plugin can cause a victim’s browser to execute that script when viewing the affected page, potentially leading to theft of credentials, session hijacking, or site defacement. The vulnerability is a classic input sanitization failure classified as CWE‑79.

Affected Systems

WordPress installations that have the Kush Micro News plugin installed at version 1.6.7 or earlier are affected. The exploit is limited to instances where the plugin’s storage fields are accessible.

Risk and Exploitability

The CVSS score of 7.1 indicates high impact. The EPSS score of less than 1% suggests that exploitation attempts are currently uncommon. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an authenticated user with privileges to insert content into the plugin’s storage; this inference is derived from the nature of stored XSS, as the input description does not specify the exact requirements.

Generated by OpenCVE AI on May 2, 2026 at 08:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Kush Micro News plugin to a version newer than 1.6.7 if one is available.
  • If an upgrade cannot be performed immediately, disable the plugin or remove any interfaces that allow content entry to eliminate the vulnerable input surface.
  • Implement a web‑application firewall rule set or add a strong content security policy that blocks inline script execution from user‑generated content to mitigate residual risk.

Generated by OpenCVE AI on May 2, 2026 at 08:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11634 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kush Sharma Kush Micro News allows Stored XSS. This issue affects Kush Micro News: from n/a through 1.6.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kush Sharma Kush Micro News allows Stored XSS. This issue affects Kush Micro News: from n/a through 1.6.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kush Sharma Kush Micro News kush-micro-news allows Stored XSS.This issue affects Kush Micro News: from n/a through <= 1.6.7.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kush Sharma Kush Micro News allows Stored XSS. This issue affects Kush Micro News: from n/a through 1.6.7.
Title WordPress Kush Micro News Plugin <= 1.6.7 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:48.094Z

Reserved: 2025-02-21T16:45:40.232Z

Link: CVE-2025-27314

cve-icon Vulnrichment

Updated: 2025-04-17T17:44:39.894Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:37.113

Modified: 2026-06-17T09:03:23.097

Link: CVE-2025-27314

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:45:38Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')