Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in farinspace Peekaboo peekaboo allows Stored XSS.This issue affects Peekaboo: from n/a through <= 1.1.
Published: 2025-04-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper neutralization of input during web page generation, allowing stored cross‑site scripting within the farinspace Peekaboo WordPress plugin. An attacker can inject arbitrary JavaScript that will execute in the browsers of any visitor who views pages impacted by the plugin, potentially enabling session hijacking, credential theft, or defacement. The weakness is classified as CWE‑79.

Affected Systems

WordPress installations that have installed the farĥinspace Peekaboo plugin, version 1.1 or earlier, are vulnerable. The issue manifests when user‑contributed content is stored and later displayed without proper escaping. Any site running these versions of the plugin is within the affected scope.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the current environment, though the flaw is still publicly known and could be leveraged by a motivated attacker. Since the vulnerability is stored XSS, the attacker would need to inject payloads through legitimate user inputs supported by the plugin, and the attacked hosts must render the malicious content to victim browsers. The vulnerability is not currently listed in CISA's KEV catalog, but it could be discovered by attackers as it can be abused without requiring privileged access or complex prerequisites.

Generated by OpenCVE AI on May 1, 2026 at 09:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Peekaboo plugin to a version newer than 1.1 if an update is available; this is the primary remediation.
  • If no update exists, permanently deactivate or uninstall the plugin from all WordPress sites to eliminate the attack surface.
  • Apply server‑side sanitization or a strict Content Security Policy to limit the execution of arbitrary JavaScript in any output that may still be rendered on your site.

Generated by OpenCVE AI on May 1, 2026 at 09:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12027 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in farinspace Peekaboo allows Stored XSS. This issue affects Peekaboo: from n/a through 1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in farinspace Peekaboo allows Stored XSS. This issue affects Peekaboo: from n/a through 1.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in farinspace Peekaboo peekaboo allows Stored XSS.This issue affects Peekaboo: from n/a through <= 1.1.
Title WordPress Peekaboo <= 1.1 - Cross Site Scripting (XSS) Vulnerability WordPress Peekaboo plugin <= 1.1 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Thu, 24 Apr 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in farinspace Peekaboo allows Stored XSS. This issue affects Peekaboo: from n/a through 1.1.
Title WordPress Peekaboo <= 1.1 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:39.693Z

Reserved: 2025-04-24T14:23:11.073Z

Link: CVE-2025-46505

cve-icon Vulnrichment

Updated: 2025-04-24T19:52:59.618Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T16:15:41.440

Modified: 2026-04-23T15:30:08.067

Link: CVE-2025-46505

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:15:13Z

Weaknesses