Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Data443 Risk Mitigation, Inc. Welcome Bar intelly-welcome-bar allows Stored XSS.This issue affects Welcome Bar: from n/a through <= 2.0.4.
Published: 2025-04-04
Score: 5.9 Medium
EPSS: 1.0% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Data443 Risk Mitigation, Inc. Welcome Bar intelly‑welcome‑bar is vulnerable to stored cross‑site scripting, allowing malicious input to be saved and executed inside visitors’ browsers. This can lead to credential theft, cookie hijacking, or site defacement when unsuspecting users load the compromised page. The CVSS score of 5.9 classifies the vulnerability as moderate severity but still poses a real risk of user‑level compromise.

Affected Systems

The vulnerability affects the Welcome Bar plugin from Data443 Risk Mitigation, Inc., specifically all releases up to and including version 2.0.4. Any WordPress site that has installed a version dated n/a through 2.0.4 is potentially affected.

Risk and Exploitability

The EPSS score of < 1% indicates that current exploitation is predicted to be very low, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the stored nature of the flaw means an attacker who can submit a command through the plugin’s configuration interface can inject JavaScript that will be served to every site visitor. The likely attack vector is an administrator or user with access to the plugin’s settings page, who inserts a malicious payload that the plugin fails to neutralize in the generated HTML.

Generated by OpenCVE AI on May 2, 2026 at 02:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Welcome Bar plugin to version 2.0.5 or later to remove the stored XSS flaw.
  • Restrict administrative access to the plugin’s configuration pages so that only trusted users can edit its settings, minimizing the chance for an attacker to inject malicious code.
  • Implement input validation or web application firewall rules to filter out malicious scripts from the plugin’s configuration interface until the vulnerability is fixed.

Generated by OpenCVE AI on May 2, 2026 at 02:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9875 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Data443 Risk Migitation, Inc. Welcome Bar allows Stored XSS. This issue affects Welcome Bar: from n/a through 2.0.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Data443 Risk Migitation, Inc. Welcome Bar allows Stored XSS. This issue affects Welcome Bar: from n/a through 2.0.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Data443 Risk Mitigation, Inc. Welcome Bar intelly-welcome-bar allows Stored XSS.This issue affects Welcome Bar: from n/a through <= 2.0.4.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Fri, 04 Apr 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Data443 Risk Migitation, Inc. Welcome Bar allows Stored XSS. This issue affects Welcome Bar: from n/a through 2.0.4.
Title WordPress Welcome Bar plugin <= 2.0.4 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:16.910Z

Reserved: 2025-04-04T10:00:34.178Z

Link: CVE-2025-32129

cve-icon Vulnrichment

Updated: 2025-04-04T19:55:10.628Z

cve-icon NVD

Status : Deferred

Published: 2025-04-04T16:15:20.633

Modified: 2026-04-23T15:28:36.633

Link: CVE-2025-32129

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:45:32Z

Weaknesses