Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in teastudio.pl WP Posts Carousel wp-posts-carousel allows Stored XSS.This issue affects WP Posts Carousel: from n/a through <= 1.3.8.
Published: 2025-03-28
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability has been identified in the WP Posts Carousel plugin from teastudio.pl. The flaw allows stored XSS; an attacker can inject arbitrary script code via the plugin's input fields that is then rendered in pages accessed by site visitors, potentially leading to session hijacking, defacement or victim phishing. The weakness is cataloged as CWE‑79 and can compromise confidentiality, integrity, and availability of the affected website.

Affected Systems

WP Posts Carousel plugin for WordPress from teastudio.pl, versions up to and including 1.3.8. The vulnerability affects every installation of the plugin that has not been upgraded beyond 1.3.8.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity vulnerability. The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. However, based on the description, it is inferred that an attacker can submit malicious payloads via the plugin’s input interfaces, which are then displayed to all site users, creating a remote vector for script injection. The risk is therefore significant for sites that rely heavily on WordPress pages rendered by the plugin and maintain user-generated content.

Generated by OpenCVE AI on May 1, 2026 at 03:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Posts Carousel to a version newer than 1.3.8, where the XSS issue has been fixed.
  • If an upgrade cannot be performed immediately, disable script tags or apply server‑side input sanitization on the plugin’s input fields to allow only safe content.
  • Implement a site‑wide Content Security Policy that disallows inline scripts and restricts execution of external scripts to trusted origins, mitigating the impact of any remaining XSS payloads.

Generated by OpenCVE AI on May 1, 2026 at 03:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8572 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in teastudio.pl WP Posts Carousel allows Stored XSS. This issue affects WP Posts Carousel: from n/a through 1.3.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in teastudio.pl WP Posts Carousel allows Stored XSS. This issue affects WP Posts Carousel: from n/a through 1.3.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in teastudio.pl WP Posts Carousel wp-posts-carousel allows Stored XSS.This issue affects WP Posts Carousel: from n/a through <= 1.3.8.
Title WordPress WP Posts Carousel <= 1.3.8 - Cross Site Scripting (XSS) Vulnerability WordPress WP Posts Carousel plugin <= 1.3.8 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 28 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 28 Mar 2025 09:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in teastudio.pl WP Posts Carousel allows Stored XSS. This issue affects WP Posts Carousel: from n/a through 1.3.8.
Title WordPress WP Posts Carousel <= 1.3.8 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:05.120Z

Reserved: 2025-03-26T09:26:19.814Z

Link: CVE-2025-31094

cve-icon Vulnrichment

Updated: 2025-03-28T14:21:45.971Z

cve-icon NVD

Status : Deferred

Published: 2025-03-28T10:15:17.830

Modified: 2026-04-23T15:27:41.760

Link: CVE-2025-31094

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T03:45:07Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')