Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in listamester Listamester listamester allows Stored XSS.This issue affects Listamester: from n/a through <= 2.3.5.
Published: 2025-03-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Listamester WordPress plugin up to version 2.3.5 contains a stored cross-site scripting flaw that allows attackers to inject malicious scripts into data stored by the plugin. This vulnerability arises from improper neutralization of user input during web page generation. When the stored content is later rendered, the injected script can execute in the browsers of any user who visits the affected page. The potential consequences—such as disclosure of sensitive information or session hijacking—are typical of XSS vulnerabilities; these specific impacts are inferred from the nature of the flaw and are not explicitly stated in the CVE entry.

Affected Systems

The vulnerability affects the Listamester plugin for WordPress versions up to and including 2.3.5. No additional sub-version details are provided. Site administrators should verify that their plugin version is not <= 2.3.5 and upgrade if necessary.

Risk and Exploitability

The CVSS base score of 6.5 indicates moderate severity. The EPSS score is less than 1 percent, implying a low probability of exploitation at present, and the issue is not listed in the CISA KEV catalog. The likely attack vector is through the plugin’s data input interfaces, where an attacker can store malicious JavaScript that is executed when any user loads the affected content. This inference is based on the description of a stored XSS flaw.

Generated by OpenCVE AI on May 1, 2026 at 13:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Listamester plugin to a version newer than 2.3.5 if available, which contains the fix for the stored XSS flaw.
  • If an update cannot be applied immediately, deactivate or remove the plugin from the WordPress installation to prevent execution of stored scripts.
  • Review and sanitize any existing content stored by Listamester for stray script tags, and configure WordPress or a security plugin to enforce proper input validation and output encoding in accordance with CWE-79 mitigation best practices.

Generated by OpenCVE AI on May 1, 2026 at 13:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8386 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in listamester Listamester allows Stored XSS. This issue affects Listamester: from n/a through 2.3.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in listamester Listamester allows Stored XSS. This issue affects Listamester: from n/a through 2.3.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in listamester Listamester listamester allows Stored XSS.This issue affects Listamester: from n/a through <= 2.3.5.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Thu, 27 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in listamester Listamester allows Stored XSS. This issue affects Listamester: from n/a through 2.3.5.
Title WordPress Listamester plugin <= 2.3.5 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Listamester Listamester
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:57.989Z

Reserved: 2025-03-26T09:20:32.696Z

Link: CVE-2025-30813

cve-icon Vulnrichment

Updated: 2025-03-27T13:32:42.716Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T11:15:42.370

Modified: 2026-04-23T15:27:07.223

Link: CVE-2025-30813

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T13:00:12Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')