Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nazmur Rahman Text Selection Color text-selection-color allows Stored XSS.This issue affects Text Selection Color: from n/a through <= 1.6.
Published: 2025-03-28
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation in Nazmur Rahman’s Text Selection Color plugin enables a stored cross‑site scripting flaw. The vulnerability stems from failing to sanitize data that the plugin writes to the WordPress database, allowing malicious scripts to be persisted and executed in the browsers of any user who later views content generated by the plugin. This stored XSS can compromise the integrity of the website’s output and expose visitors to unwanted code execution.

Affected Systems

WordPress sites that have the Text Selection Color plugin from Nazmur Rahman installed at version 1.6 or earlier are susceptible. The flaw is confined to the plugin and does not depend on the underlying operating system or hosting environment.

Risk and Exploitability

The CVSS base score of 5.9 indicates a moderate overall risk. The EPSS score of <1% suggests a low probability of exploitation at the time of analysis. Because the issue is listed as a stored XSS, an attacker would need to inject malicious payloads via the plugin’s content handling mechanisms, typically through an account with sufficient privileges to modify content. The vulnerability is not currently in CISA’s KEV catalog, so no proven exploitation campaigns have been reported, but the risk remains if an attacker can reach the target user base.

Generated by OpenCVE AI on May 2, 2026 at 02:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Text Selection Color plugin to the latest available release that resolves the XSS flaw.
  • If an updated version cannot be obtained, uninstall or disable the plugin to remove the vulnerability.
  • Audit existing content for any injected scripts and sanitize or delete suspicious entries to reduce residual risk.

Generated by OpenCVE AI on May 2, 2026 at 02:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8582 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nazmur Rahman Text Selection Color allows Stored XSS. This issue affects Text Selection Color: from n/a through 1.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nazmur Rahman Text Selection Color allows Stored XSS. This issue affects Text Selection Color: from n/a through 1.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nazmur Rahman Text Selection Color text-selection-color allows Stored XSS.This issue affects Text Selection Color: from n/a through <= 1.6.
Title WordPress Text Selection Color <= 1.6 - Cross Site Scripting (XSS) Vulnerability WordPress Text Selection Color plugin <= 1.6 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Fri, 28 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 28 Mar 2025 12:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nazmur Rahman Text Selection Color allows Stored XSS. This issue affects Text Selection Color: from n/a through 1.6.
Title WordPress Text Selection Color <= 1.6 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:07.767Z

Reserved: 2025-03-28T11:00:51.877Z

Link: CVE-2025-31464

cve-icon Vulnrichment

Updated: 2025-03-28T13:48:37.080Z

cve-icon NVD

Status : Deferred

Published: 2025-03-28T12:15:19.107

Modified: 2026-04-23T15:27:52.597

Link: CVE-2025-31464

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T03:00:13Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')