Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sihibbs Posts for Page posts-for-page allows DOM-Based XSS.This issue affects Posts for Page: from n/a through <= 2.1.
Published: 2025-05-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Posts for Page plugin allows a DOM‑based Cross‑Site Scripting flaw due to improper neutralization of input during web page generation. A malicious input can be embedded in a post or page, and when the page is rendered, the payload is interpreted as JavaScript. This flaw may lead to unauthorized script execution, data theft, session hijacking, or defacement of the site content.

Affected Systems

The vulnerability is present in the sihibbs Posts for Page WordPress plugin for all releases through version 2.1 inclusive. Any WordPress installation using this plugin version or earlier is affected and may host the vulnerable code. Users who have upgraded to 2.2 or later are not impacted.

Risk and Exploitability

With a CVSS score of 6.5, the flaw is classified as medium severity. The EPSS score of less than 1 % indicates a very low probability of exploitation at the time of this analysis, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is user‑directed; an attacker can craft a link or embed malicious content that, when accessed by a visitor, triggers the code in the victim’s browser. The impact is confined to the user’s session and the content rendered on the site rather than affecting the server’s integrity.

Generated by OpenCVE AI on May 1, 2026 at 08:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Posts for Page plugin to version 2.2 or later, which removes the DOM‑based XSS flaw.
  • If an immediate upgrade is not possible, disable the plugin or remove the Pages containing untrusted content until a patch is applied.
  • Implement a web‑application firewall or content security policy that blocks inline scripts and disallows dangerous JavaScript execution within post content.

Generated by OpenCVE AI on May 1, 2026 at 08:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27946 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sihibbs Posts for Page allows DOM-Based XSS.This issue affects Posts for Page: from n/a through 2.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sihibbs Posts for Page allows DOM-Based XSS.This issue affects Posts for Page: from n/a through 2.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sihibbs Posts for Page posts-for-page allows DOM-Based XSS.This issue affects Posts for Page: from n/a through <= 2.1.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 19 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 May 2025 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sihibbs Posts for Page allows DOM-Based XSS.This issue affects Posts for Page: from n/a through 2.1.
Title WordPress Posts for Page plugin <= 2.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:29.795Z

Reserved: 2025-04-16T06:22:29.272Z

Link: CVE-2025-39369

cve-icon Vulnrichment

Updated: 2025-05-19T16:56:47.538Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T17:15:25.600

Modified: 2026-04-23T15:29:25.520

Link: CVE-2025-39369

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:30:12Z

Weaknesses