Description
The Daisycon prijsvergelijkers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'daisycon_uitvaart' shortcode in all versions up to, and including, 4.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-05-31
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the Daisycon prijsvergelijkers WordPress plugin. The plugin’s ‘daisycon_uitvaart’ shortcode does not properly sanitize or escape user supplied attributes, allowing an authenticated contributor to store malicious JavaScript in the site’s content. When a page containing that shortcode is viewed, the injected script is executed in the visitor’s browser, which can lead to session hijacking, cookie theft, defacement, or the execution of additional payloads on compromise of users.

Affected Systems

All installations of Daisycon prijsvergelijkers up to version 4.9.0 are affected. The vulnerability is particular to the WordPress environment and requires the presence of the plugin. Versions beyond 4.9.0 are not known to be compromised. WordPress sites that have granted contributor-level or higher roles are at risk.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate overall risk, and the EPSS value of less than 1% shows a very low likelihood of exploitation at present. The vulnerability has not been reported in the CISA KEV catalog, suggesting limited evidence of active exploitation. A likely attack path would involve a user with contributor privileges inserting a malicious attribute into the shortcode via the WordPress editor, which then persists until the content is viewed. Because the script is stored, it may impact all users who load the affected page.

Generated by OpenCVE AI on April 21, 2026 at 20:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Daisycon prijsvergelijkers plugin version, which removes the stored XSS bug in the ‘daisycon_uitvaart’ shortcode.
  • After updating, review all existing posts or pages using the shortcode to ensure no malicious attributes remain, and delete or correct any that do.
  • Limit contributor-level access on the WordPress site until the plugin update is applied, or review user role assignments to reduce the risk surface.

Generated by OpenCVE AI on April 21, 2026 at 20:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16547 The Daisycon prijsvergelijkers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'daisycon_uitvaart' shortcode in all versions up to, and including, 4.8.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Daisycon prijsvergelijkers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'daisycon_uitvaart' shortcode in all versions up to, and including, 4.8.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The Daisycon prijsvergelijkers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'daisycon_uitvaart' shortcode in all versions up to, and including, 4.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Daisycon prijsvergelijkers <= 4.8.4 - Authenticated (Contributor+) Stored Cross-Site Scripting Daisycon prijsvergelijkers <= 4.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
References

Mon, 02 Jun 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 31 May 2025 06:45:00 +0000

Type Values Removed Values Added
Description The Daisycon prijsvergelijkers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'daisycon_uitvaart' shortcode in all versions up to, and including, 4.8.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Daisycon prijsvergelijkers <= 4.8.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:01:07.352Z

Reserved: 2025-05-12T15:19:35.473Z

Link: CVE-2025-4590

cve-icon Vulnrichment

Updated: 2025-06-02T15:18:24.660Z

cve-icon NVD

Status : Deferred

Published: 2025-05-31T07:15:20.643

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4590

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:45:25Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')