Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gopiplus Message ticker message-ticker allows Stored XSS.This issue affects Message ticker: from n/a through <= 9.3.
Published: 2025-03-24
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Stored cross‑site scripting occurs when the plugin fails to neutralize user‑supplied input before rendering it on webpages, allowing an attacker to inject malicious scripts. This flaw falls under CWE‑79 and can be triggered by any data that the plugin stores for later display.

Affected Systems

WordPress sites running the 'Message ticker' plugin by gopiplus are affected. The vulnerability is present in versions up to and including 9.3. No earlier version information is available, so any installation of 9.3 or older must be considered vulnerable.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of public exploitation at present. The flaw is not listed in CISA’s KEV catalog. The attack vector likely involves inserting malicious payloads through the plugin’s input fields, but the description does not specify the required level of site access; this inference is based on typical plugin usage. Once malicious payloads are stored, they are executed in the browsers of any visitor to the affected pages, potentially exposing the site to arbitrary JavaScript execution.

Generated by OpenCVE AI on May 2, 2026 at 11:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Message ticker plugin to the latest version that addresses the XSS issue.
  • If an update is not yet available, deactivate the plugin to eliminate the vulnerable input path.
  • Ensure that any user‑generated content processed by the plugin is properly sanitized or encoded to remove executable code before rendering.

Generated by OpenCVE AI on May 2, 2026 at 11:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7963 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gopiplus Message ticker allows Stored XSS. This issue affects Message ticker: from n/a through 9.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gopiplus Message ticker allows Stored XSS. This issue affects Message ticker: from n/a through 9.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gopiplus Message ticker message-ticker allows Stored XSS.This issue affects Message ticker: from n/a through <= 9.3.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Mon, 24 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Mar 2025 14:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gopiplus Message ticker allows Stored XSS. This issue affects Message ticker: from n/a through 9.3.
Title WordPress Message ticker plugin <= 9.3 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Gopiplus Message Ticker
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:53.270Z

Reserved: 2025-03-24T12:59:40.515Z

Link: CVE-2025-30533

cve-icon Vulnrichment

Updated: 2025-03-24T14:51:07.316Z

cve-icon NVD

Status : Deferred

Published: 2025-03-24T14:15:21.993

Modified: 2026-04-23T15:26:48.813

Link: CVE-2025-30533

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T11:15:19Z

Weaknesses