Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pagup WP Google Street View wp-google-street-view allows Stored XSS.This issue affects WP Google Street View: from n/a through <= 1.1.5.
Published: 2025-03-27
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input during web page generation allows a malicious actor to persistently inject JavaScript payloads that run in the browsers of visitors to the compromised site. This stored XSS flaw can be used to steal session cookies, deface content, or execute arbitrary scripts that benefit an attacker. The vulnerability originates from the WP Google Street View plugin’s lack of input filtering when storing data in the database.

Affected Systems

The Pagup WP Google Street View WordPress plugin is affected in all releases through version 1.1.5. Any WordPress installation that hosts this plugin and has not yet upgraded beyond 1.1.5 is vulnerable.

Risk and Exploitability

The CVSS score of 5.9 places the flaw in the medium severity range, while the EPSS score of less than 1% indicates a low probability of exploitation under current conditions. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a web‑based interaction where an attacker submits malicious content that becomes stored in the site’s database and subsequently rendered to all users. No special authentication is required for injection, but the attacker must be able to influence the plugin’s data entry points.

Generated by OpenCVE AI on May 1, 2026 at 04:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Google Street View plugin to a version newer than 1.1.5.
  • If upgrading is delayed, remove or delete any records that may contain malicious input from the plugin’s database tables.
  • As a temporary countermeasure, configure a Content Security Policy that restricts inline scripts and the sources from which scripts can load.

Generated by OpenCVE AI on May 1, 2026 at 04:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8372 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pagup WP Google Street View allows Stored XSS. This issue affects WP Google Street View: from n/a through 1.1.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pagup WP Google Street View allows Stored XSS. This issue affects WP Google Street View: from n/a through 1.1.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pagup WP Google Street View wp-google-street-view allows Stored XSS.This issue affects WP Google Street View: from n/a through <= 1.1.5.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Thu, 27 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pagup WP Google Street View allows Stored XSS. This issue affects WP Google Street View: from n/a through 1.1.5.
Title WordPress WP Google Street View plugin <= 1.1.5 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:57.695Z

Reserved: 2025-03-26T09:20:18.315Z

Link: CVE-2025-30799

cve-icon Vulnrichment

Updated: 2025-03-27T13:59:10.934Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T11:15:40.883

Modified: 2026-04-23T15:27:05.550

Link: CVE-2025-30799

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T04:15:08Z

Weaknesses