Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Post in page for Elementor allows DOM-Based XSS. This issue affects Post in page for Elementor: from n/a through 1.0.1.
Published: 2025-04-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an improper neutralization of input during web page generation that allows a DOM‑based XSS attack by injecting arbitrary JavaScript into the rendered page. An attacker can exploit the plugin to execute code in the browsers of users who view the affected content, potentially compromising the confidentiality, integrity, or availability of information presented to those users.

Affected Systems

The affected target is the WordPress Post in page for Elementor plugin, version 1.0.1 and earlier, deployed by Michael. Any WordPress installation that has this plugin and an affected version installed is at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate impact due to the ability to run client‑side scripts. The EPSS score is below 1%, implying a very low probability of exploitation at the present time. The vulnerability is not listed in the CISA KEV catalog, meaning no widespread exploitation has been reported. The likely attack vector is through user‑controllable post content or URL parameters that the plugin fails to sanitize, enabling a DOM‑based XSS during page rendering.

Generated by OpenCVE AI on April 30, 2026 at 21:35 UTC.

Remediation

Vendor Solution

Update the WordPress Post in page for Elementor plugin to the latest available version (at least 1.0.2).

OpenCVE Recommended Actions

  • Update the Post in page for Elementor plugin to version 1.0.2 or later.
  • If the plugin is not required for site functionality, uninstall it to remove the vulnerability.
  • Review existing posts and pages for embedded scripts, and remove any malicious or suspicious content before deploying the update.

Generated by OpenCVE AI on April 30, 2026 at 21:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12321 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Post in page for Elementor allows DOM-Based XSS. This issue affects Post in page for Elementor: from n/a through 1.0.1.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Post in page for Elementor post-in-page-for-elementor allows DOM-Based XSS.This issue affects Post in page for Elementor: from n/a through <= 1.0.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Post in page for Elementor allows DOM-Based XSS. This issue affects Post in page for Elementor: from n/a through 1.0.1.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Post in page for Elementor allows DOM-Based XSS. This issue affects Post in page for Elementor: from n/a through 1.0.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Post in page for Elementor post-in-page-for-elementor allows DOM-Based XSS.This issue affects Post in page for Elementor: from n/a through <= 1.0.1.
References

Wed, 07 May 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Migaweb
Migaweb post In Page For Elementor
CPEs cpe:2.3:a:migaweb:post_in_page_for_elementor:*:*:*:*:*:wordpress:*:*
Vendors & Products Migaweb
Migaweb post In Page For Elementor

Tue, 22 Apr 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 22 Apr 2025 10:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Post in page for Elementor allows DOM-Based XSS. This issue affects Post in page for Elementor: from n/a through 1.0.1.
Title WordPress Post in page for Elementor plugin <= 1.0.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Migaweb Post In Page For Elementor
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:36.455Z

Reserved: 2025-04-22T08:46:38.825Z

Link: CVE-2025-46225

cve-icon Vulnrichment

Updated: 2025-04-22T17:02:43.558Z

cve-icon NVD

Status : Modified

Published: 2025-04-22T10:15:14.223

Modified: 2026-04-28T19:32:08.917

Link: CVE-2025-46225

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T21:45:26Z

Weaknesses