Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shellbot Easy Image Display easy-image-display allows Stored XSS.This issue affects Easy Image Display: from n/a through <= 1.2.5.
Published: 2025-03-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Easy Image Display plugin for WordPress contains a stored cross‑site scripting flaw. An attacker able to submit image metadata can inject JavaScript that is later rendered when users visit the page. This can lead to defacement, cookie theft, or session hijacking, representing a moderate security risk. The weakness is a classic stored XSS (CWE‑79).

Affected Systems

Affected systems are WordPress sites that have the Shellbot Easy Image Display plugin installed in any version up to and including 1.2.5. No specific release is excluded beyond the 1.2.5 threshold.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate impact, while the EPSS below 1% shows a low likelihood of exploitation in the wild. The vulnerability is not yet listed in CISA’s KEV catalog. Exploitation requires an attacker to be able to inject content via the plugin's image metadata fields, which may only be possible for users with permission to upload or edit images. If user roles allow arbitrary input, an attacker can deliver malicious payloads that are executed in the browsers of all visitors to the affected page.

Generated by OpenCVE AI on May 1, 2026 at 13:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Easy Image Display plugin to the latest available version (≥ 1.2.6) which removes the XSS vulnerability.
  • Limit the capability to upload or edit images to only trusted administrators or edit roles that have been audited for safe input handling.
  • Install a web application firewall or enable security‑on‑site plugins to block or detect cross‑site scripting attempts on the site.

Generated by OpenCVE AI on May 1, 2026 at 13:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7871 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shellbot Easy Image Display allows Stored XSS. This issue affects Easy Image Display: from n/a through 1.2.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shellbot Easy Image Display allows Stored XSS. This issue affects Easy Image Display: from n/a through 1.2.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shellbot Easy Image Display easy-image-display allows Stored XSS.This issue affects Easy Image Display: from n/a through <= 1.2.5.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00046}

 epss

{'score': 0.0007}

Wed, 12 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 11 Mar 2025 21:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shellbot Easy Image Display allows Stored XSS. This issue affects Easy Image Display: from n/a through 1.2.5.
Title WordPress Easy Image Display plugin <= 1.2.5 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:50.752Z

Reserved: 2025-03-11T08:09:40.253Z

Link: CVE-2025-28919

cve-icon Vulnrichment

Updated: 2025-03-12T13:44:26.496Z

cve-icon NVD

Status : Deferred

Published: 2025-03-11T21:15:49.623

Modified: 2026-04-23T15:26:36.190

Link: CVE-2025-28919

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:00:15Z

Weaknesses