Description
The Zotpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘nickname’ parameter in all versions up to, and including, 7.3.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-11
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) via the nickname field
Action: Apply Patch
AI Analysis

Impact

The Zotpress plugin contains a stored XSS flaw in the nickname input that is not properly sanitized or escaped. Authenticated users with Author rights or higher can inject arbitrary JavaScript into created pages. When other site visitors load an affected page, the malicious code runs in their browsers, potentially allowing cookie theft, session hijacking, defacement, or the execution of further attacks on the site’s users.

Affected Systems

The vulnerability affects the Zotpress WordPress plugin distributed by kseaborn, in all releases up to and including version 7.3.15; any WordPress installation running one of those versions is vulnerable.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. The EPSS score of less than 1% suggests a very low likelihood of exploitation, and the flaw is not listed in CISA's KEV catalog. The attack vector requires an authenticated user with Author or higher privileges, which limits the attacker’s reach but still permits significant damage if such credentials are compromised.

Generated by OpenCVE AI on April 28, 2026 at 01:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Zotpress to the latest version (≥7.3.16) to remove the stored XSS bug.
  • If an immediate update is not possible, restrict Author and higher role permissions so that those users cannot edit nickname fields or create new pages containing the nickname input.
  • Deploy a Content Security Policy that disallows inline scripts or restricts script sources to mitigate the risk of any remaining XSS payloads.

Generated by OpenCVE AI on April 28, 2026 at 01:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18085 The Zotpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘nickname’ parameter in all versions up to, and including, 7.3.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
References

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00036}

epss

{'score': 0.00042}


Wed, 11 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 11 Jun 2025 04:00:00 +0000

Type Values Removed Values Added
Description The Zotpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘nickname’ parameter in all versions up to, and including, 7.3.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title ZotPress <= 7.3.15 - Authenticated (Author+) Stored Cross-Site Scripting via 'nickname'
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:35:57.360Z

Reserved: 2025-05-13T19:53:37.213Z

Link: CVE-2025-4666

cve-icon Vulnrichment

Updated: 2025-06-11T13:25:41.785Z

cve-icon NVD

Status : Deferred

Published: 2025-06-11T04:15:53.280

Modified: 2026-06-17T09:33:45.073

Link: CVE-2025-4666

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T01:30:17Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')