Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in warmwhisky GTDB Guitar Tuners guitar-tuner allows Stored XSS.This issue affects GTDB Guitar Tuners: from n/a through <= 4.2.2.
Published: 2025-04-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Improper Neutralization of Input During Web Page Generation that allows a stored cross‑site scripting (XSS) flaw. An attacker can inject malicious scripts into the GTDB Guitar Tuners plugin’s data fields, causing the script to run whenever a site visitor loads the affected page. This can lead to session hijacking, cookie theft, defacement, or the execution of arbitrary client‑side code, affecting confidentiality and integrity for all users.

Affected Systems

WordPress installations that use the GTDB Guitar Tuners plugin from the vendor warmwhisky, versions 4.2.2 and earlier, are susceptible. The issue is present in all releases identified as affecting the plugin up to and including 4.2.2.

Risk and Exploitability

The plugin’s CVSS score of 6.5 indicates moderate severity. The EPSS score is less than 1%, suggesting a low likelihood of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Attack exploitation would require an attacker to supply malicious input that is stored by the plugin, which attackers could inject through any interface that accepts user‑generated content, such as settings pages or public forms. If successful, the XSS propagates to all users who view the affected page.

Generated by OpenCVE AI on April 30, 2026 at 21:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GTDB Guitar Tuners plugin to the latest version.
  • If an upgrade is not possible, restrict or disable the plugin’s input areas to prevent script injection.
  • Verify that no malicious scripts remain in the database and consider using a web‑application firewall or security plugin to block script tags.

Generated by OpenCVE AI on April 30, 2026 at 21:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12088 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in warmwhisky GTDB Guitar Tuners allows Stored XSS. This issue affects GTDB Guitar Tuners: from n/a through 4.2.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in warmwhisky GTDB Guitar Tuners allows Stored XSS. This issue affects GTDB Guitar Tuners: from n/a through 4.2.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in warmwhisky GTDB Guitar Tuners guitar-tuner allows Stored XSS.This issue affects GTDB Guitar Tuners: from n/a through <= 4.2.2.
Title WordPress GTDB Guitar Tuners <= 4.2.2 - Cross Site Scripting (XSS) Vulnerability WordPress GTDB Guitar Tuners plugin <= 4.2.2 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 25 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in warmwhisky GTDB Guitar Tuners allows Stored XSS. This issue affects GTDB Guitar Tuners: from n/a through 4.2.2.
Title WordPress GTDB Guitar Tuners <= 4.2.2 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:37.474Z

Reserved: 2025-04-24T14:22:09.615Z

Link: CVE-2025-46438

cve-icon Vulnrichment

Updated: 2025-04-24T19:53:46.928Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T16:15:34.910

Modified: 2026-04-23T15:29:59.360

Link: CVE-2025-46438

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T21:15:06Z

Weaknesses