Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webvitaly Sitekit sitekit allows Stored XSS.This issue affects Sitekit: from n/a through <= 1.8.
Published: 2025-03-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw that occurs when the Sitekit plugin accepts unsanitized user input and later displays it on a page. Because the attacker can persist malicious scripts in the plugin data, any visitor to the affected website will execute the script in the context of that site. This could lead to theft of credentials, session hijacking, defacement, or further drive‑by attacks. The weakness is described by CWE‑79.

Affected Systems

The issue impacts the Sitekit plugin provided by webvitaly for WordPress, versions from the initial release through 1.8. WordPress sites that have the plugin installed and configured to accept input fields are therefore vulnerable. No narrower version range is given beyond the stated upper bound.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium‑to‑high severity, while the EPSS score of less than 1% suggests that exploitation is currently rare. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by injecting malicious code into Sitekit fields – a step that likely requires access to the WordPress admin interface or a user role with permission to edit plugin settings. Once the payload is stored, it is served to every visitor who loads the affected page, so no additional conditions beyond basic web access are needed.

Generated by OpenCVE AI on May 1, 2026 at 04:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sitekit to the latest release (≥1.9) to eliminate the stored XSS flaw.
  • Disable or uninstall Sitekit if it is not required or if an upgrade cannot be applied immediately.
  • Implement a web application firewall or a Content Security Policy to block the execution of unexpected scripts on the site.

Generated by OpenCVE AI on May 1, 2026 at 04:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8395 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webvitaly Sitekit allows Stored XSS. This issue affects Sitekit: from n/a through 1.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webvitaly Sitekit allows Stored XSS. This issue affects Sitekit: from n/a through 1.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webvitaly Sitekit sitekit allows Stored XSS.This issue affects Sitekit: from n/a through <= 1.8.
Title WordPress Sitekit <= 1.8 - Cross Site Scripting (XSS) Vulnerability WordPress Sitekit plugin <= 1.8 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Thu, 27 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webvitaly Sitekit allows Stored XSS. This issue affects Sitekit: from n/a through 1.8.
Title WordPress Sitekit <= 1.8 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:56.955Z

Reserved: 2025-03-26T09:20:01.831Z

Link: CVE-2025-30776

cve-icon Vulnrichment

Updated: 2025-03-27T13:33:36.408Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T11:15:38.803

Modified: 2026-04-23T15:27:02.903

Link: CVE-2025-30776

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T04:15:08Z

Weaknesses