Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPXPO PostX ultimate-post allows DOM-Based XSS.This issue affects PostX: from n/a through <= 4.1.25.
Published: 2025-03-28
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user supplied data within the PostX plugin leads to a DOM‑based XSS flaw. Attackers can inject malicious code that runs in the context of a victim’s browser. This allows theft of cookies, session hijack, defacement, or other client‑side abuse without needing server‑side changes.

Affected Systems

WordPress sites that use the PostX plugin, versions prior to and including 4.1.25, under the WPXPO:PostX vendor. Sites hosting the plugin’s configuration or custom post content are impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity vulnerability. The EPSS score is below 1 %, suggesting a low probability of public exploitation at present, and the flaw is not listed in the CISA KEV catalog. Exploitation would require an attacker to supply crafted content that the plugin renders in the browser, typically through a form or shortcode entry that is not properly sanitized. The attack vector is client‑side DOM manipulation, meaning the victim must load a page that includes the crafted payload.

Generated by OpenCVE AI on May 1, 2026 at 03:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PostX plugin to the latest available version, 4.1.26 or newer.
  • If an upgrade cannot be performed immediately, disable or remove the PostX plugin from the site until a patched version is deployed.
  • Ensure that any content created or edited through the plugin is passed through a strict input‑validation routine that escapes or sanitizes potentially harmful characters before rendering.

Generated by OpenCVE AI on May 1, 2026 at 03:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8573 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPXPO PostX allows DOM-Based XSS. This issue affects PostX: from n/a through 4.1.25.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPXPO PostX allows DOM-Based XSS. This issue affects PostX: from n/a through 4.1.25. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPXPO PostX ultimate-post allows DOM-Based XSS.This issue affects PostX: from n/a through <= 4.1.25.
Title WordPress PostX <= 4.1.25 - Cross Site Scripting (XSS) Vulnerability WordPress PostX plugin <= 4.1.25 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 28 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 28 Mar 2025 09:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPXPO PostX allows DOM-Based XSS. This issue affects PostX: from n/a through 4.1.25.
Title WordPress PostX <= 4.1.25 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
Wpxpo Postx
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:05.121Z

Reserved: 2025-03-26T09:26:19.815Z

Link: CVE-2025-31096

cve-icon Vulnrichment

Updated: 2025-03-28T14:24:09.693Z

cve-icon NVD

Status : Deferred

Published: 2025-03-28T10:15:18.013

Modified: 2026-04-23T15:27:41.993

Link: CVE-2025-31096

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T03:45:07Z

Weaknesses