Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gnanavelshenll WP Custom Post Popup custom-post-popup allows DOM-Based XSS.This issue affects WP Custom Post Popup: from n/a through <= 1.0.1.
Published: 2025-04-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress WP Custom Post Popup plugin contains an improper neutralization of input during web page generation, allowing an attacker to inject arbitrary scripts that execute in a victim’s browser. The vulnerability is a DOM‑Based XSS flaw classified as CWE‑79. If exploited, a malicious user could steal session cookies, deface content, or redirect the user to phishing sites, thereby compromising the confidentiality and integrity of the affected site and its visitors.

Affected Systems

The flaw affects the WP Custom Post Popup plugin developed by gnanavelshenll, specifically all releases from the earliest available version through version 1.0.1. Any WordPress installation running this plugin within the stated version range is impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is web‑based, inferred from the description that the flaw is DOM‑Based XSS; an attacker would need to supply malicious input to a part of the plugin that is reflected into the page without proper escaping.

Generated by OpenCVE AI on April 30, 2026 at 20:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Custom Post Popup plugin to a version newer than 1.0.1 when available.
  • If no update is released, disable or permanently delete the plugin to eliminate the vulnerable code.
  • When manual patching is necessary, edit the plugin’s code to properly escape or sanitize all user‑controlled input before rendering it in the browser.

Generated by OpenCVE AI on April 30, 2026 at 20:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12047 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gnanavelshenll WP Custom Post Popup allows DOM-Based XSS. This issue affects WP Custom Post Popup: from n/a through 1.0.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gnanavelshenll WP Custom Post Popup allows DOM-Based XSS. This issue affects WP Custom Post Popup: from n/a through 1.0.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gnanavelshenll WP Custom Post Popup custom-post-popup allows DOM-Based XSS.This issue affects WP Custom Post Popup: from n/a through <= 1.0.1.
Title WordPress WP Custom Post Popup <= 1.0.1 - Cross Site Scripting (XSS) Vulnerability WordPress WP Custom Post Popup plugin <= 1.0.1 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 25 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gnanavelshenll WP Custom Post Popup allows DOM-Based XSS. This issue affects WP Custom Post Popup: from n/a through 1.0.1.
Title WordPress WP Custom Post Popup <= 1.0.1 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:38.102Z

Reserved: 2025-04-24T14:22:38.654Z

Link: CVE-2025-46471

cve-icon Vulnrichment

Updated: 2025-04-24T19:53:23.113Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T16:15:37.850

Modified: 2026-04-23T15:30:03.657

Link: CVE-2025-46471

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T21:00:15Z

Weaknesses