Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wumii team 无觅相关文章插件 wumii-related-posts allows Stored XSS.This issue affects 无觅相关文章插件: from n/a through <= 1.0.5.7.
Published: 2025-02-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored Cross‑Site Scripting flaw caused by improper neutralization of input in the WordPress plugin created by the wumii team. An attacker can inject malicious script into content managed through the plugin, and when that content is displayed to other site users the script runs in their browsers, potentially leaking sensitive data or hijacking user sessions.

Affected Systems

Any WordPress installation using the wumii Related Posts plugin from the wumii team with a version equal to or earlier than 1.0.5.7 is affected. The vulnerability applies to every instance of this plugin that has not yet been updated beyond that release.

Risk and Exploitability

The CVSS score of 7.1 categorises the flaw as high severity, while the very low EPSS score indicates that reported exploitation is unlikely at present. It is not listed in the CISA KEV catalog. Exploitability requires access to the vulnerable plugin’s input fields, which could be achieved by an attacker with permission to add or edit posts or by compromising an administrative account. Once the payload is stored, it will execute on any user who views the affected content.

Generated by OpenCVE AI on May 2, 2026 at 04:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of the wumii Related Posts plugin that addresses the XSS issue
  • If upgrading is not immediately possible, disable or remove the plugin and replace it with a trusted alternative
  • Restrict editing capabilities to trusted administrators only, limiting the ability to input content via the plugin
  • Review and sanitize existing content for any injected scripts, deleting or cleaning suspicious entries

Generated by OpenCVE AI on May 2, 2026 at 04:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4315 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wumii team 无觅相关文章插件 allows Stored XSS. This issue affects 无觅相关文章插件: from n/a through 1.0.5.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wumii team 无觅相关文章插件 allows Stored XSS. This issue affects 无觅相关文章插件: from n/a through 1.0.5.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wumii team 无觅相关文章插件 wumii-related-posts allows Stored XSS.This issue affects 无觅相关文章插件: from n/a through <= 1.0.5.7.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 24 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Feb 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wumii team 无觅相关文章插件 allows Stored XSS. This issue affects 无觅相关文章插件: from n/a through 1.0.5.7.
Title WordPress 无觅相关文章插件 plugin <= 1.0.5.7 - CSRF to Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:48.781Z

Reserved: 2025-02-21T16:46:02.628Z

Link: CVE-2025-27352

cve-icon Vulnrichment

Updated: 2025-02-24T15:56:27.602Z

cve-icon NVD

Status : Deferred

Published: 2025-02-24T15:15:20.643

Modified: 2026-04-23T15:26:25.603

Link: CVE-2025-27352

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T04:30:16Z

Weaknesses