Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in popeating Post Read Time post-read-time allows Stored XSS.This issue affects Post Read Time: from n/a through <= 1.2.6.
Published: 2025-03-11
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability, identified as Improper Neutralization of Input During Web Page Generation, allows an attacker to inject arbitrary client‑side script into data handled by the Post Read Time plugin. Stored XSS means the malicious code is saved in the database and will execute whenever the affected page is rendered, enabling attackers to hijack user sessions, deface content, or execute arbitrary actions on behalf of authenticated users within the scope of the site.

Affected Systems

This flaw afflicts the WordPress plugin "Post Read Time" developed by popeating. All released versions from the initial version through 1.2.6 are affected. Users who have installed any of these versions are at risk.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity, while the EPSS score being less than 1% suggests that actual exploit attempts are very rare at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an attacker creating or editing plugin content that is later rendered on the site, thereby injecting malicious payloads that trigger when visitors load the page.

Generated by OpenCVE AI on May 1, 2026 at 13:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Post Read Time plugin to the latest available version that addresses the XSS flaw
  • If an upgrade is not feasible, deactivate and delete the vulnerable plugin to remove the attack surface
  • Apply a Web Application Firewall or content‑validation rule to filter or escape user‑provided input in the affected plugin’s data fields

Generated by OpenCVE AI on May 1, 2026 at 13:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7876 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in popeating Post Read Time allows Stored XSS. This issue affects Post Read Time: from n/a through 1.2.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in popeating Post Read Time allows Stored XSS. This issue affects Post Read Time: from n/a through 1.2.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in popeating Post Read Time post-read-time allows Stored XSS.This issue affects Post Read Time: from n/a through <= 1.2.6.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00045}

 epss

{'score': 0.00068}

Wed, 12 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 11 Mar 2025 21:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in popeating Post Read Time allows Stored XSS. This issue affects Post Read Time: from n/a through 1.2.6.
Title WordPress Post Read Time plugin <= 1.2.6 - Stored Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:50.743Z

Reserved: 2025-03-11T08:09:57.113Z

Link: CVE-2025-28926

cve-icon Vulnrichment

Updated: 2025-03-12T13:44:16.035Z

cve-icon NVD

Status : Deferred

Published: 2025-03-11T21:15:50.397

Modified: 2026-04-23T15:26:37.040

Link: CVE-2025-28926

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:00:15Z

Weaknesses