Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zookatron MyBookProgress by Stormhill Media mybookprogress allows Stored XSS.This issue affects MyBookProgress by Stormhill Media: from n/a through <= 1.0.8.
Published: 2025-04-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation which enables stored Cross‑Site Scripting attacks. An attacker could inject malicious scripts that will execute in the browsers of other visitors to the affected site, potentially stealing session cookies, defacing content, or redirecting users to malicious sites. This flaw is classified as CWE‑79, reflecting its nature of insufficient output encoding.

Affected Systems

The affected systems are WordPress installations running the zookatron MyBookProgress by Stormhill Media plugin at version 1.0.8 or earlier. The plugin’s code does not sanitize certain user‑supplied fields, allowing stored XSS payloads to persist in the database and be served to any site visitor.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity flaw, while the EPSS score of < 1 % suggests a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, but an attacker could still exploit it via the plugin’s user input mechanism, especially if the site allows untrusted users to create or edit content managed by the plugin.

Generated by OpenCVE AI on April 30, 2026 at 22:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MyBookProgress plugin to a version newer than 1.0.8.
  • If upgrading is delayed, disable the plugin or restrict its use to trusted administrators only.
  • Deploy a Web Application Firewall rule that blocks or sanitizes the XSS vectors used by the plugin.

Generated by OpenCVE AI on April 30, 2026 at 22:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11103 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zookatron MyBookProgress by Stormhill Media allows Stored XSS. This issue affects MyBookProgress by Stormhill Media: from n/a through 1.0.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zookatron MyBookProgress by Stormhill Media allows Stored XSS. This issue affects MyBookProgress by Stormhill Media: from n/a through 1.0.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zookatron MyBookProgress by Stormhill Media mybookprogress allows Stored XSS.This issue affects MyBookProgress by Stormhill Media: from n/a through <= 1.0.8.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 16 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 15 Apr 2025 22:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zookatron MyBookProgress by Stormhill Media allows Stored XSS. This issue affects MyBookProgress by Stormhill Media: from n/a through 1.0.8.
Title WordPress MyBookProgress by Stormhill Media plugin <= 1.0.8 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:02.959Z

Reserved: 2025-03-26T09:22:34.906Z

Link: CVE-2025-30982

cve-icon Vulnrichment

Updated: 2025-04-16T14:11:43.722Z

cve-icon NVD

Status : Deferred

Published: 2025-04-15T22:15:26.957

Modified: 2026-04-23T15:27:27.080

Link: CVE-2025-30982

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T23:00:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')