Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ferranfg MPL-Publisher mpl-publisher allows Stored XSS.This issue affects MPL-Publisher: from n/a through <= 2.18.0.
Published: 2025-04-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation leads to stored cross‑site scripting in the MPL‑Publisher plugin. An attacker can inject malicious scripts that execute in the browsers of users who view affected pages, potentially stealing credentials, defacing content, or redirecting traffic. This flaw falls under CWE‑79 and represents a moderate severity compromise of confidentiality, integrity, and availability of the affected WordPress site.

Affected Systems

The vulnerability affects WordPress sites that have the MPL‑Publisher plugin by ferranfg installed, versions up through 2.18.0. The plugin serves as a content publishing interface, and all editions unchanged since the first release are susceptible.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate risk overall, while the EPSS score of less than 1 % suggests a relatively low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to submit or influence content stored by the plugin, which may require administrative or contributor access to the WordPress installation. The impact is scoped to any user who accesses the compromised content, potentially allowing widespread script execution within the affected site.

Generated by OpenCVE AI on April 30, 2026 at 21:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MPL‑Publisher plugin to the latest supported version where the XSS flaw is fixed.
  • If an update is not immediately available, disable or delete the MPL‑Publisher plugin to remove the vulnerable functionality.
  • Configure a Web Application Firewall to block known XSS attack patterns targeting the plugin endpoints.

Generated by OpenCVE AI on April 30, 2026 at 21:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12322 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ferranfg MPL-Publisher allows Stored XSS. This issue affects MPL-Publisher: from n/a through 2.18.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ferranfg MPL-Publisher allows Stored XSS. This issue affects MPL-Publisher: from n/a through 2.18.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ferranfg MPL-Publisher mpl-publisher allows Stored XSS.This issue affects MPL-Publisher: from n/a through <= 2.18.0.
Title WordPress MPL-Publisher <= 2.18.0 - Cross Site Scripting (XSS) Vulnerability WordPress MPL-Publisher plugin <= 2.18.0 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Wed, 07 May 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Mpl-publisher
Mpl-publisher mpl-publisher
CPEs cpe:2.3:a:mpl-publisher:mpl-publisher:*:*:*:*:*:wordpress:*:*
Vendors & Products Mpl-publisher
Mpl-publisher mpl-publisher

Tue, 22 Apr 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 22 Apr 2025 10:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ferranfg MPL-Publisher allows Stored XSS. This issue affects MPL-Publisher: from n/a through 2.18.0.
Title WordPress MPL-Publisher <= 2.18.0 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Mpl-publisher Mpl-publisher
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:36.451Z

Reserved: 2025-04-22T08:46:38.826Z

Link: CVE-2025-46226

cve-icon Vulnrichment

Updated: 2025-04-22T17:02:18.096Z

cve-icon NVD

Status : Modified

Published: 2025-04-22T10:15:15.427

Modified: 2026-04-23T15:29:54.340

Link: CVE-2025-46226

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T21:45:26Z

Weaknesses