Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tstafford include-file include-file allows Stored XSS.This issue affects include-file: from n/a through <= 1.
Published: 2025-03-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input during web page generation allows an attacker to store malicious scripts in the include-file plugin, which are executed when the page is rendered. The stored XSS can lead to cookie theft, session hijack, defacement, or the injection of additional malware. The weakness is identified as CWE‑79 and grants attackers the ability to execute arbitrary client‑side code in the context of legitimate site visitors.

Affected Systems

The tstafford include-file WordPress plugin, versions from the initial release up to and including version 1.0. Users of any WordPress site that have installed this plugin and are running an affected version are potentially vulnerable.

Risk and Exploitability

With a CVSS score of 6.5 the vulnerability is of medium severity. The EPSS score of less than 1% implies a low probability of active exploitation, and the vulnerability is not catalogued in the CISA KEV database. The likely attack vector is through the plugin’s input interface, where an attacker with the ability to submit data (admin or guest, depending on configuration) could embed malicious payloads that are then rendered in the page. If the site’s users visit a page that reflects the stored input, the attack would succeed.

Generated by OpenCVE AI on May 1, 2026 at 04:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the include-file plugin to the latest version (2.0 or newer) that removes the stored XSS flaw.
  • If an update is unavailable, uninstall or completely disable the include-file plugin to eliminate the input vector.
  • Deploy a Web Application Firewall or similar filtering solution to block or sanitize scripts that could be injected via the plugin’s input fields.

Generated by OpenCVE AI on May 1, 2026 at 04:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7942 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tstafford include-file allows Stored XSS. This issue affects include-file: from n/a through 1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tstafford include-file allows Stored XSS. This issue affects include-file: from n/a through 1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tstafford include-file include-file allows Stored XSS.This issue affects include-file: from n/a through <= 1.
Title WordPress include-file - <= <= 1 Cross Site Scripting (XSS) Vulnerability WordPress include-file plugin <= 1 Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 24 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Mar 2025 14:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tstafford include-file allows Stored XSS. This issue affects include-file: from n/a through 1.
Title WordPress include-file - <= <= 1 Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:54.980Z

Reserved: 2025-03-24T13:00:32.065Z

Link: CVE-2025-30595

cve-icon Vulnrichment

Updated: 2025-03-24T14:18:15.674Z

cve-icon NVD

Status : Deferred

Published: 2025-03-24T14:15:31.770

Modified: 2026-04-23T15:26:56.343

Link: CVE-2025-30595

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T04:30:08Z

Weaknesses