Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gosign Gosign – Posts Slider Block gosign-posts-slider-block allows Stored XSS.This issue affects Gosign – Posts Slider Block: from n/a through <= 1.1.0.
Published: 2025-04-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Gosign – Posts Slider Block allows a stored cross-site scripting (XSS) vulnerability in which unsanitized user input is retained in posts and later rendered to visitors' browsers. The flaw is a classic CWE‑79, and an attacker can embed malicious JavaScript that runs whenever the affected content is viewed, potentially hijacking sessions, defacing the site, or exfiltrating data.

Affected Systems

The issue affects the WordPress plugin Gosign – Posts Slider Block for all releases from the earliest available version up to and including version 1.1.0. Site owners running any of these plugin versions should treat the environment as vulnerable.

Risk and Exploitability

The CVSS score of 6.5 signals moderate severity, and the EPSS score of less than 1 % indicates a low but non‑zero likelihood of exploitation. The plugin is publicly available on WordPress, and an attacker would typically need the ability to create or modify content through the admin interface to inject the payload. Once injected, the script executes for any visitor who loads the malicious content, exposing all site users to the potential impact. The vulnerability is not listed in the CISA KEV catalogue, suggesting no known widespread exploitation at this time.

Generated by OpenCVE AI on May 1, 2026 at 01:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of the Gosign – Posts Slider Block plugin newer than 1.1.0.
  • If an upgrade is not yet available, temporarily deactivate or delete the plugin until a fix is released.
  • Restrict content‑editing permissions on the WordPress installation to limit the attack surface for future vulnerable code.

Generated by OpenCVE AI on May 1, 2026 at 01:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9160 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gosign Gosign – Posts Slider Block allows Stored XSS. This issue affects Gosign – Posts Slider Block: from n/a through 1.1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gosign Gosign – Posts Slider Block allows Stored XSS. This issue affects Gosign – Posts Slider Block: from n/a through 1.1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gosign Gosign – Posts Slider Block gosign-posts-slider-block allows Stored XSS.This issue affects Gosign – Posts Slider Block: from n/a through <= 1.1.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 01 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gosign Gosign – Posts Slider Block allows Stored XSS. This issue affects Gosign – Posts Slider Block: from n/a through 1.1.0.
Title WordPress Gosign – Posts Slider Block plugin <= 1.1.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:15.303Z

Reserved: 2025-04-01T13:21:29.404Z

Link: CVE-2025-31891

cve-icon Vulnrichment

Updated: 2025-04-01T15:37:56.072Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T15:16:32.250

Modified: 2026-04-23T15:28:29.857

Link: CVE-2025-31891

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:45:05Z

Weaknesses