Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bas Matthee LSD Custom taxonomy and category meta custom-taxonomy-category-and-term-fields allows Cross Site Request Forgery.This issue affects LSD Custom taxonomy and category meta: from n/a through <= 1.3.2.
Published: 2025-04-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper Neutralization of Input During Web Page Generation (Cross‑Site Scripting) in the LSD Custom taxonomy and category meta plugin allows a malicious site to send a CSRF request that injects unescaped user input into taxonomy or category fields. The resulting XSS can execute arbitrary scripts in the context of an authenticated WordPress administrator or user, enabling theft of session cookies, malicious redirects, or defacement. This weakness aligns with CWE‑79.

Affected Systems

The affected product is the LSD Custom taxonomy and category meta plugin developed by Bas Matthee. All released versions up through and including 1.3.2 are vulnerable. No specific major or minor version subdivisions are identified beyond the inclusive upper bound.

Risk and Exploitability

The CVSS score of 7.1 indicates a high‑severity vulnerability, while the EPSS score of less than one percent suggests a low likelihood of exploitation in the wild. The attacker would most likely need a user who is already logged into the WordPress admin interface to perform the CSRF attack, after which the unescaped input leads to cross‑site scripting. The plugin is not currently listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 30, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LSD Custom taxonomy and category meta plugin to the latest released version (greater than 1.3.2).
  • If an upgrade is not immediately possible, deactivate or uninstall the plugin to remove the vulnerable code path.
  • Configure a web application firewall to block or sanitize requests that target taxonomy and category field endpoints, ensuring that any user input is properly escaped before rendering.

Generated by OpenCVE AI on April 30, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12031 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bas Matthee LSD Custom taxonomy and category meta allows Cross Site Request Forgery. This issue affects LSD Custom taxonomy and category meta: from n/a through 1.3.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bas Matthee LSD Custom taxonomy and category meta allows Cross Site Request Forgery. This issue affects LSD Custom taxonomy and category meta: from n/a through 1.3.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bas Matthee LSD Custom taxonomy and category meta custom-taxonomy-category-and-term-fields allows Cross Site Request Forgery.This issue affects LSD Custom taxonomy and category meta: from n/a through <= 1.3.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 25 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bas Matthee LSD Custom taxonomy and category meta allows Cross Site Request Forgery. This issue affects LSD Custom taxonomy and category meta: from n/a through 1.3.2.
Title WordPress LSD Custom taxonomy and category meta plugin <= 1.3.2 - CSRF to XSS vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:39.695Z

Reserved: 2025-04-24T14:23:02.621Z

Link: CVE-2025-46502

cve-icon Vulnrichment

Updated: 2025-04-24T19:54:38.210Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T16:15:41.043

Modified: 2026-04-23T15:30:07.690

Link: CVE-2025-46502

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T21:15:06Z

Weaknesses