Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sakurapixel Lunar lunar-sell-photos-online allows Stored XSS.This issue affects Lunar: from n/a through <= 1.3.0.
Published: 2025-03-11
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Lunar plugin for WordPress contains an improper neutralization of input during web page generation, resulting in a stored cross‑site scripting vulnerability. An attacker can submit content that is stored in the database and later displayed without proper escaping, causing malicious scripts to run in the browsers of other site visitors.

Affected Systems

The vulnerability affects the sakurapixel Lunar plugin for WordPress, specifically any installation of version 1.3.0 or earlier. The affected product is named Lunar, a photo‑selling plugin that allows users to upload and sell images online.

Risk and Exploitability

The CVSS score of 5.9 indicates a medium severity vulnerability. The EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves a web‑based input field within the plugin that stores user‑generated content in a database and later renders it as part of a web page. If an attacker can inject malicious script into such content, it will execute in the browsers of visitors who view the page.

Generated by OpenCVE AI on May 2, 2026 at 03:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Lunar plugin to the latest version (≥1.3.1) which removes the XSS flaw.
  • If an immediate update is not feasible, disable the plugin’s input features or restrict them to trusted administrators and log all new content for review.
  • Deploy a web application firewall or employ a Content Security Policy that blocks script execution on the affected pages to mitigate the risk of active exploitation.

Generated by OpenCVE AI on May 2, 2026 at 03:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7883 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sakurapixel Lunar allows Stored XSS. This issue affects Lunar: from n/a through 1.3.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sakurapixel Lunar allows Stored XSS. This issue affects Lunar: from n/a through 1.3.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sakurapixel Lunar lunar-sell-photos-online allows Stored XSS.This issue affects Lunar: from n/a through <= 1.3.0.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00045}

 epss

{'score': 0.00068}

Wed, 12 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 11 Mar 2025 21:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sakurapixel Lunar allows Stored XSS. This issue affects Lunar: from n/a through 1.3.0.
Title WordPress Lunar plugin <= 1.3.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:51.224Z

Reserved: 2025-03-11T08:10:05.094Z

Link: CVE-2025-28936

cve-icon Vulnrichment

Updated: 2025-03-12T13:43:59.304Z

cve-icon NVD

Status : Deferred

Published: 2025-03-11T21:15:51.443

Modified: 2026-04-23T15:26:38.207

Link: CVE-2025-28936

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T03:45:33Z

Weaknesses