Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nurelm Get Posts nurelm-get-posts allows Stored XSS.This issue affects Get Posts: from n/a through <= 0.6.
Published: 2025-02-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Stored Cross‑Site Scripting flaw in the nurelm Get Posts WordPress plugin, allowing an attacker to inject malicious script into data that is later rendered on a web page. This input is not properly neutralized during web page generation, creating a path for an attacker to execute arbitrary JavaScript in the browsers of any user who views a page containing the stored data. The affected plugin versions are from the earliest release through version 0.6, and the flaw is how the plugin stores and outputs user supplied content.

Affected Systems

The issue affects the WordPress plugin nurelm Get Posts, available from the plugin author nurelm. Administrators running any WordPress site that has installed or has ever installed this plugin with a version less than or equal to 0.6 have a potential attack surface. No additional firmware or host versions are mentioned.

Risk and Exploitability

The CVSS score is 6.5, indicating a high‑moderate severity. The EPSS score is below 1 %, showing a very low probability of exploitation in the wild at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by submitting malicious content via the plugin’s input interface; unless mitigated, the payload can then be executed in the browser context of any visitor who loads a page where the stored content is displayed. The vulnerability is a typical XSS vector that can lead to session hijacking, defacement, or redirection for users of the affected site.

Generated by OpenCVE AI on May 2, 2026 at 09:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to the latest available version (0.7 or later) to eliminate the stored XSS flaw.
  • Apply a Content Security Policy (CSP) header that disallows inline scripts and restricts script sources to trusted origins, reducing the impact if an XSS payload somehow persists.
  • Audit other plugins and custom code to ensure they properly escape data output; consider using WordPress built‑in esc_html() or wp_kses() functions.

Generated by OpenCVE AI on May 2, 2026 at 09:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4329 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nurelm Get Posts allows Stored XSS. This issue affects Get Posts: from n/a through 0.6.
History

Fri, 24 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nurelm Get Posts allows Stored XSS. This issue affects Get Posts: from n/a through 0.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nurelm Get Posts nurelm-get-posts allows Stored XSS.This issue affects Get Posts: from n/a through <= 0.6.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 24 Feb 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Feb 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nurelm Get Posts allows Stored XSS. This issue affects Get Posts: from n/a through 0.6.
Title WordPress Get Posts plugin <= 0.6 - Stored Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:48.682Z

Reserved: 2025-02-21T16:46:02.627Z

Link: CVE-2025-27349

cve-icon Vulnrichment

Updated: 2025-02-24T16:47:23.542Z

cve-icon NVD

Status : Deferred

Published: 2025-02-24T15:15:20.363

Modified: 2026-04-23T15:26:25.240

Link: CVE-2025-27349

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T09:15:26Z

Weaknesses