Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tim Wetterwarner wetterwarner allows Stored XSS.This issue affects Wetterwarner: from n/a through <= 2.7.3.
Published: 2025-04-09
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Wetterwarner plugin is a stored cross‑site scripting (CWE‑79) flaw that allows an attacker to store malicious script code within the plugin’s data. When that data is rendered in web pages, the injected script runs in the browsers of site visitors. This can lead to session hijacking, theft of user credentials, or redirection to phishing sites. The flaw arises from the plugin’s failure to properly neutralize user input before page generation, directly exposing the site to client‑side attacks.

Affected Systems

WordPress sites using the Tim Wetterwarner Wetterwarner plugin version 2.7.3 or earlier are impacted. Admins of such sites should check the plugin version and the WordPress installation to confirm that the vulnerable module is present.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.9, indicating moderate severity, and an EPSS score of less than 1%, implying a low likelihood of exploitation under current conditions. Although it is not listed in the CISA KEV catalog, the exposed attack vector is remote via the web interface, letting an attacker submit malicious content that is later served to site visitors.

Generated by OpenCVE AI on May 1, 2026 at 10:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Wetterwarner plugin to the latest released version (any release newer than 2.7.3).
  • If an immediate upgrade is not feasible, temporarily disable or remove the plugin from the WordPress installation.
  • Review any custom code or content that may be persisted by the plugin and apply proper input sanitization or server‑side filtering before rendering.

Generated by OpenCVE AI on May 1, 2026 at 10:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10610 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tim Wetterwarner allows Stored XSS. This issue affects Wetterwarner: from n/a through 2.7.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tim Wetterwarner allows Stored XSS. This issue affects Wetterwarner: from n/a through 2.7.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tim Wetterwarner wetterwarner allows Stored XSS.This issue affects Wetterwarner: from n/a through <= 2.7.3.
Title WordPress Wetterwarner <= 2.7.2 - Cross Site Scripting (XSS) Vulnerability WordPress Wetterwarner plugin <= 2.7.3 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 09 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 09 Apr 2025 16:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tim Wetterwarner allows Stored XSS. This issue affects Wetterwarner: from n/a through 2.7.2.
Title WordPress Wetterwarner <= 2.7.2 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:22.208Z

Reserved: 2025-04-09T11:19:01.929Z

Link: CVE-2025-32489

cve-icon Vulnrichment

Updated: 2025-04-09T18:22:11.878Z

cve-icon NVD

Status : Deferred

Published: 2025-04-09T17:15:41.920

Modified: 2026-04-23T15:28:58.600

Link: CVE-2025-32489

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:00:15Z

Weaknesses