Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A. Jones Featured Image Thumbnail Grid thumbnail-grid allows Stored XSS.This issue affects Featured Image Thumbnail Grid: from n/a through <= 6.8.
Published: 2025-03-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The affected WordPress plugin contains an input handling flaw that allows a malicious user to inject arbitrary JavaScript into the page output. The stored XSS can persist across sessions, enabling attackers to deface sites, manipulate page content, or steal session cookies from visitors. This weakness is a classic failure to neutralize input, directly mapping to the CWE‑79 classification and posing a significant integrity and confidentiality risk for any site that hosts the plugin.

Affected Systems

WordPress plugins installed from author A. Jones named Featured Image Thumbnail Grid, any released version up to and including 6.8, are vulnerable. Users running these versions should be aware that the flaw is present until a newer release or proper sanitization is applied.

Risk and Exploitability

The CVSS score of 6.5 signals a moderate potential for damage, while the extremely low EPSS (<1%) indicates that the likelihood of exploitation is currently small. The vulnerability is not part of the CISA KEV catalog. Exploitation would typically involve an attacker who can submit content through the plugin’s input interface; once stored, the malicious script executes in the context of every user who views the affected page. The attack vector is likely local to the site’s administrative or content creation functions.

Generated by OpenCVE AI on May 1, 2026 at 13:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Featured Image Thumbnail Grid plugin to the latest available version (6.9 or newer).
  • If an update is not feasible, disable or remove the plugin entirely from the WordPress installation.
  • As a temporary workaround, ensure that any data passed to the plugin is sanitized with a whitelist‑based function such as wp_kses before it is stored or rendered.

Generated by OpenCVE AI on May 1, 2026 at 13:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7870 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A. Jones Featured Image Thumbnail Grid allows Stored XSS. This issue affects Featured Image Thumbnail Grid: from n/a through 6.6.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A. Jones Featured Image Thumbnail Grid allows Stored XSS. This issue affects Featured Image Thumbnail Grid: from n/a through 6.6.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A. Jones Featured Image Thumbnail Grid thumbnail-grid allows Stored XSS.This issue affects Featured Image Thumbnail Grid: from n/a through <= 6.8.
Title WordPress Featured Image Thumbnail Grid plugin <= 6.6.1 - Cross Site Scripting (XSS) vulnerability WordPress Featured Image Thumbnail Grid plugin <= 6.8 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00046}

 epss

{'score': 0.0007}

Wed, 12 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 11 Mar 2025 21:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A. Jones Featured Image Thumbnail Grid allows Stored XSS. This issue affects Featured Image Thumbnail Grid: from n/a through 6.6.1.
Title WordPress Featured Image Thumbnail Grid plugin <= 6.6.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:50.742Z

Reserved: 2025-03-11T08:09:40.253Z

Link: CVE-2025-28918

cve-icon Vulnrichment

Updated: 2025-03-12T13:44:28.976Z

cve-icon NVD

Status : Deferred

Published: 2025-03-11T21:15:49.477

Modified: 2026-06-17T09:04:52.633

Link: CVE-2025-28918

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:00:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')