Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in samsk Include URL include-url allows Stored XSS.This issue affects Include URL: from n/a through <= 0.3.5.
Published: 2025-03-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Include URL plugin for WordPress contains an improper neutralization of input during web page generation, resulting in a stored cross‑site scripting (XSS) vulnerability. Malicious scripts can be stored by an attacker and executed when other users view pages that include the stored content, potentially allowing arbitrary script execution in victims’ browsers.

Affected Systems

The vulnerability affects the Include URL plugin developed by samsk. All releases identified as n/a through version 0.3.5 are affected. Site owners using any version up to and including 0.3.5 should verify their installations and seek a fix.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS probability is below 1 %, and the flaw is not listed in CISA’s KEV catalog, suggesting a lower likelihood of widespread exploitation. Based on the description, it is inferred that attackers who can submit content to the plugin are able to inject malicious scripts; the impact applies to all site visitors who view affected content.

Generated by OpenCVE AI on May 2, 2026 at 03:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Include URL plugin to the latest available version when a vendor‑released fix is released.
  • If an update is not available, disable the plugin to prevent untrusted input from being stored or executed.
  • If disabling is not feasible, remove the plugin files entirely and consider using a vetted alternative that sanitizes user input properly.

Generated by OpenCVE AI on May 2, 2026 at 03:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7929 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in samsk Include URL allows Stored XSS. This issue affects Include URL: from n/a through 0.3.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in samsk Include URL allows Stored XSS. This issue affects Include URL: from n/a through 0.3.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in samsk Include URL include-url allows Stored XSS.This issue affects Include URL: from n/a through <= 0.3.5.
Title WordPress Include URL - <= <= 0.3.5 Cross Site Scripting (XSS) Vulnerability WordPress Include URL plugin <= 0.3.5 Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 24 Mar 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 24 Mar 2025 14:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in samsk Include URL allows Stored XSS. This issue affects Include URL: from n/a through 0.3.5.
Title WordPress Include URL - <= <= 0.3.5 Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:54.889Z

Reserved: 2025-03-24T13:00:32.065Z

Link: CVE-2025-30593

cve-icon Vulnrichment

Updated: 2025-03-24T14:17:48.710Z

cve-icon NVD

Status : Deferred

Published: 2025-03-24T14:15:31.620

Modified: 2026-04-23T15:26:56.130

Link: CVE-2025-30593

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T03:30:16Z

Weaknesses