Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in preetindersodhi TGG WP Optimizer tgg-wp-optimizer allows Stored XSS.This issue affects TGG WP Optimizer: from n/a through <= 1.25.
Published: 2025-03-28
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored Cross‑Site Scripting flaw that enables an attacker to inject malicious script into web pages rendered by WordPress. Once injected, the script runs in the browsers of any user who views the affected page, potentially allowing cookie theft, session hijacking, or site defacement. The issue is governed by the improper neutralization of input during page generation.

Affected Systems

The affected product is the TGG WP Optimizer plugin developed by preetindersodhi. All releases from unspecified earliest version through 1.25 are vulnerable, meaning any installation running a version up to and including 1.25 is at risk.

Risk and Exploitability

This flaw has a CVSS score of 5.9, indicating moderate severity. The EPSS score is less than 1%, implying a low likelihood of exploitation. It is not listed in CISA’s KEV catalog. The likely attack vector involves an attacker who can submit content that the plugin stores and later views; the stored payload is then rendered unsanitized on the site, affecting all visitors.

Generated by OpenCVE AI on May 1, 2026 at 12:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the TGG WP Optimizer plugin to the latest version (1.26 or newer) to eliminate the stored XSS flaw.
  • If an update cannot be made immediately, disable or uninstall the plugin so that no malicious content can be executed.
  • As a temporary workaround, ensure that any data passed through the plugin is properly sanitized and that WordPress outputs such data with HTML escape or a content security policy that blocks inline scripts.

Generated by OpenCVE AI on May 1, 2026 at 12:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8585 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Preetinder Singh TGG WP Optimizer allows Stored XSS. This issue affects TGG WP Optimizer: from n/a through 1.22.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Preetinder Singh TGG WP Optimizer allows Stored XSS. This issue affects TGG WP Optimizer: from n/a through 1.22. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in preetindersodhi TGG WP Optimizer tgg-wp-optimizer allows Stored XSS.This issue affects TGG WP Optimizer: from n/a through <= 1.25.
Title WordPress TGG WP Optimizer <= 1.22 - Cross Site Scripting (XSS) Vulnerability WordPress TGG WP Optimizer plugin <= 1.25 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Fri, 28 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 28 Mar 2025 12:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Preetinder Singh TGG WP Optimizer allows Stored XSS. This issue affects TGG WP Optimizer: from n/a through 1.22.
Title WordPress TGG WP Optimizer <= 1.22 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:07.741Z

Reserved: 2025-03-28T11:00:51.877Z

Link: CVE-2025-31463

cve-icon Vulnrichment

Updated: 2025-03-28T13:48:08.264Z

cve-icon NVD

Status : Deferred

Published: 2025-03-28T12:15:18.960

Modified: 2026-04-23T15:27:52.483

Link: CVE-2025-31463

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T12:30:17Z

Weaknesses