Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DEJAN Hypotext hypotext allows Stored XSS.This issue affects Hypotext: from n/a through <= 1.0.1.
Published: 2025-04-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw (CWE‑79) that permits an attacker to inject malicious script code into the Hypotext plugin. The injected payload is persisted in the database and subsequently served to any user who views the affected content, giving attackers the ability to steal session cookies, deface pages, or redirect visitors to malicious sites. The flaw stems from improper neutralization of input during web page generation.

Affected Systems

WordPress sites that have installed the DEJAN Hypotext plugin through version 1.0.1 are vulnerable. The status of earlier releases is unknown; all versions from the earliest available up to and including 1.0.1 should be treated as affected. The plugin is available under the DEJAN vendor and is distributed as a WordPress plugin.

Risk and Exploitability

Based on the description, it is inferred that the attack vector is via the plugin’s input interface. The CVSS score of 6.5 classifies this flaw as medium severity. EPSS indicates a very low exploitation probability (<1 %). The vulnerability is not listed in the CISA KEV catalog. Attackers could exploit the flaw by submitting unescaped content through the plugin’s input interface; if the application permits user‑generated content, the attack can be performed remotely and will impact all users who view the stored data.

Generated by OpenCVE AI on May 2, 2026 at 02:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Hypotext plugin to a version newer than 1.0.1 (at least 1.0.2) or any patched release that resolves the XSS issue.
  • If an immediate upgrade is not possible, configure the WordPress environment to sanitize or escape all output generated by the Hypotext plugin, ensuring that any user‑supplied content is properly encoded before rendering.
  • Deploy a Content Security Policy that disallows inline JavaScript or limits script execution to trusted sources, mitigating the impact should the plugin still contain vulnerable rendering paths.

Generated by OpenCVE AI on May 2, 2026 at 02:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9256 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DEJAN Hypotext allows Stored XSS. This issue affects Hypotext: from n/a through 1.0.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DEJAN Hypotext allows Stored XSS. This issue affects Hypotext: from n/a through 1.0.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DEJAN Hypotext hypotext allows Stored XSS.This issue affects Hypotext: from n/a through <= 1.0.1.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 01 Apr 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DEJAN Hypotext allows Stored XSS. This issue affects Hypotext: from n/a through 1.0.1.
Title WordPress Hypotext plugin <= 1.0.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:12.272Z

Reserved: 2025-04-01T13:19:38.349Z

Link: CVE-2025-31761

cve-icon Vulnrichment

Updated: 2025-04-01T20:32:28.475Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T15:16:12.823

Modified: 2026-04-23T15:28:14.343

Link: CVE-2025-31761

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:45:32Z

Weaknesses