Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeff Starr Simple Blog Stats simple-blog-stats allows Stored XSS.This issue affects Simple Blog Stats: from n/a through <= 20250416.
Published: 2025-05-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw that allows attackers to inject malicious JavaScript into web pages generated by the Simple Blog Stats plugin. This flaw can lead to defacement, credential theft, or execution of arbitrary scripts in the context of site visitors who view the affected pages, compromising confidentiality and integrity of user sessions.

Affected Systems

The issue affects the WordPress plugin Simple Blog Stats, versions from the earliest release up to and including 20250416, developed by Jeff Starr.

Risk and Exploitability

The CVSS v3.1 base score of 6.5 indicates medium‑high risk, while the EPSS score of < 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the attack vector is inferred to involve an attacker entering malicious input through the plugin’s interface, which is stored and later rendered without proper sanitization. If such input is viewed by an end user, the script executes in the victim’s browser.

Generated by OpenCVE AI on April 30, 2026 at 20:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Simple Blog Stats plugin to the latest released version (>= 20250417).
  • If an immediate update is not possible, temporarily disable the plugin or purge any user‑supplied data that the plugin stores until a fix is applied.
  • Apply general XSS controls: ensure that any output generated by the plugin escapes all user‑controlled data and implements proper input validation according to CWE‑79 best practices.

Generated by OpenCVE AI on April 30, 2026 at 20:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13824 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeff Starr Simple Blog Stats allows Stored XSS. This issue affects Simple Blog Stats: from n/a through 20250416.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeff Starr Simple Blog Stats allows Stored XSS. This issue affects Simple Blog Stats: from n/a through 20250416. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeff Starr Simple Blog Stats simple-blog-stats allows Stored XSS.This issue affects Simple Blog Stats: from n/a through <= 20250416.
Title WordPress Simple Blog Stats <= 20250416 - Cross Site Scripting (XSS) Vulnerability WordPress Simple Blog Stats plugin <= 20250416 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00039}

 epss

{'score': 0.00045}

Thu, 08 May 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeff Starr Simple Blog Stats allows Stored XSS. This issue affects Simple Blog Stats: from n/a through 20250416.
Title WordPress Simple Blog Stats <= 20250416 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:42.947Z

Reserved: 2025-05-07T09:39:23.016Z

Link: CVE-2025-47499

cve-icon Vulnrichment

Updated: 2025-05-08T16:08:26.786Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T15:16:04.403

Modified: 2026-04-23T15:30:20.557

Link: CVE-2025-47499

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T20:30:26Z

Weaknesses