Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Leartes.NET Leartes TRY Exchange Rates leartes-try-exchange-rates allows Stored XSS.This issue affects Leartes TRY Exchange Rates: from n/a through <= 2.1.
Published: 2025-04-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored XSS in Leartes.NET’s Leartes TRY Exchange Rates WordPress plugin. It results in the application not correctly neutralizing user input that becomes part of generated web pages, allowing attackers to inject malicious scripts that will execute in the browsers of users who view the affected content. This can lead to session hijacking, credential theft or defacement of the site, as the injected code runs with the privileges of the victim user.

Affected Systems

Vendors and products affected include Leartes.NET’s Leartes TRY Exchange Rates WordPress plugin, versions from the initial release through 2.1. Any WordPress site running this plugin within that version range is at risk until a patch or update is applied.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the extremely low EPSS score (<1%) suggests that exploit activity is currently rare. The vulnerability is not listed in CISA’s KEV catalog. Attackers would likely target sites exposed to the web, feeding malicious content through any writable fields exposed by the plugin and hoping that an administrator or other privileged user would load the page, triggering script execution. The presence of stored data makes the attack feasible without needing to rely on user interaction beyond page viewing.

Generated by OpenCVE AI on May 1, 2026 at 02:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Leartes TRY Exchange Rates plugin to a version later than 2.1 that contains the vendor’s fix for the XSS issue.
  • If an upgrade cannot be performed immediately, delete the plugin from all sites or disable it to eliminate the attack surface.
  • Apply an application‑layer firewall rule that blocks typical script injection patterns that could bypass the plugin’s input sanitization, and monitor web logs for suspicious payload attempts.

Generated by OpenCVE AI on May 1, 2026 at 02:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9259 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Leartes.NET Leartes TRY Exchange Rates allows Stored XSS. This issue affects Leartes TRY Exchange Rates: from n/a through 2.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Leartes.NET Leartes TRY Exchange Rates allows Stored XSS. This issue affects Leartes TRY Exchange Rates: from n/a through 2.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Leartes.NET Leartes TRY Exchange Rates leartes-try-exchange-rates allows Stored XSS.This issue affects Leartes TRY Exchange Rates: from n/a through <= 2.1.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 01 Apr 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Leartes.NET Leartes TRY Exchange Rates allows Stored XSS. This issue affects Leartes TRY Exchange Rates: from n/a through 2.1.
Title WordPress Leartes TRY Exchange Rates Plugin <= 2.1 - Stored Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:12.808Z

Reserved: 2025-04-01T13:19:54.844Z

Link: CVE-2025-31783

cve-icon Vulnrichment

Updated: 2025-04-01T19:27:14.416Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T15:16:16.113

Modified: 2026-04-23T15:28:17.110

Link: CVE-2025-31783

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T02:15:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')