Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Logo Showcase logo-showcase allows DOM-Based XSS.This issue affects Logo Showcase: from n/a through <= 3.0.4.
Published: 2025-05-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, allowing an attacker to inject arbitrary JavaScript into web pages served by the WordPress Logo Showcase plugin. This DOM‑based XSS flaw can lead to client‑side code execution, theft of user session data, or defacement of the site. The weakness is classified as CWE‑79.

Affected Systems

The affected product is the WordPress Logo Showcase plugin, also known as Logo Showcase. Versions from the initial release up to and including 3.0.4 are vulnerable. Any installation using these versions is at risk.

Risk and Exploitability

The CVSS score is 6.5, indicating a moderate severity. The EPSS score of less than 1 % shows a very low probability of exploitation in the wild, and the flaw is not listed in CISA’s KEV catalog. The flaw is DOM‑based, meaning the exploitation requires a user to visit a crafted URL or interact with a page element that the plugin processes. The likely attack vector involves a malicious link or form input whose value is reflected into the browser’s DOM without proper escaping.

Generated by OpenCVE AI on April 30, 2026 at 20:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Logo Showcase plugin to a version newer than 3.0.4 as soon as it is available.
  • If an upgrade cannot be performed immediately, remove or disable the plugin until a patched version is released.
  • As a short‑term precaution, block or sanitize any user‑supplied data that the plugin outputs, ensuring that all content rendered by the plugin is properly escaped or encoded to prevent execution of injected scripts.

Generated by OpenCVE AI on April 30, 2026 at 20:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4192-1 modsecurity-apache security update
EUVD EUVD EUVD-2025-13826 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themepoints Logo Showcase allows DOM-Based XSS. This issue affects Logo Showcase: from n/a through 3.0.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themepoints Logo Showcase allows DOM-Based XSS. This issue affects Logo Showcase: from n/a through 3.0.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Logo Showcase logo-showcase allows DOM-Based XSS.This issue affects Logo Showcase: from n/a through <= 3.0.4.
Title WordPress Logo Showcase <= 3.0.4 - Cross Site Scripting (XSS) Vulnerability WordPress Logo Showcase plugin <= 3.0.4 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00048}

 epss

{'score': 0.00056}

Thu, 29 May 2025 23:30:00 +0000

Type Values Removed Values Added
References

Wed, 07 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themepoints Logo Showcase allows DOM-Based XSS. This issue affects Logo Showcase: from n/a through 3.0.4.
Title WordPress Logo Showcase <= 3.0.4 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:42.910Z

Reserved: 2025-05-07T09:39:23.016Z

Link: CVE-2025-47497

cve-icon Vulnrichment

Updated: 2025-05-29T23:02:41.431Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T15:16:04.143

Modified: 2026-04-23T15:30:20.237

Link: CVE-2025-47497

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T20:45:36Z

Weaknesses