Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CWD Web Designer Easy Elements Hider easy-elements-hider allows Stored XSS.This issue affects Easy Elements Hider: from n/a through <= 2.0.
Published: 2025-07-04
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting issue that occurs when the CWD Web Designer Easy Elements Hider plugin does not properly neutralize user input during page generation. An attacker can inject malicious scripts into content that is later rendered for other site visitors, enabling session hijacking, defacement, or phishing. The flaw is categorized as CWE‑79 and represents a medium‑severity flaw, with a CVSS score of 5.9.

Affected Systems

The affected product is the WordPress Easy Elements Hider plugin from CWD Web Designer. All releases from the initial version through 2.0 are vulnerable. An up‑to‑date installation of WordPress that includes Easy Elements Hider versions 2.0 or earlier will be impacted.

Risk and Exploitability

The CVSS score indicates a medium risk, while an EPSS score of less than 1% suggests that the probability of exploitation is currently low. The flaw is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves submitting malicious input through the plugin’s configuration or content entry interfaces—usually requiring administrative access to edit plugin settings. Successful exploitation could compromise the confidentiality, integrity, or availability of the affected WordPress site by delivering arbitrary client‑side code to users.

Generated by OpenCVE AI on May 2, 2026 at 08:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Easy Elements Hider to the latest released version, which removes the stored XSS vulnerability.
  • If a newer version is not yet available, deactivate or delete the plugin from the site until the fix is released to prevent any XSS payloads from executing.
  • Restrict administrative access to the plugin’s configuration interface so only trusted users can submit input, reducing the likelihood of malicious payloads being injected.

Generated by OpenCVE AI on May 2, 2026 at 08:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19946 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CWD Web Designer Easy Elements Hider allows Stored XSS. This issue affects Easy Elements Hider: from n/a through 2.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CWD Web Designer Easy Elements Hider allows Stored XSS. This issue affects Easy Elements Hider: from n/a through 2.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CWD Web Designer Easy Elements Hider easy-elements-hider allows Stored XSS.This issue affects Easy Elements Hider: from n/a through <= 2.0.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Mon, 07 Jul 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Jul 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CWD Web Designer Easy Elements Hider allows Stored XSS. This issue affects Easy Elements Hider: from n/a through 2.0.
Title WordPress Easy Elements Hider plugin <= 2.0 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:52.021Z

Reserved: 2025-03-11T08:10:27.473Z

Link: CVE-2025-28971

cve-icon Vulnrichment

Updated: 2025-07-07T17:53:19.848Z

cve-icon NVD

Status : Deferred

Published: 2025-07-04T09:15:31.507

Modified: 2026-04-23T15:26:42.213

Link: CVE-2025-28971

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:30:26Z

Weaknesses