Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpo-HR NGG Smart Image Search ngg-smart-image-search allows Stored XSS.This issue affects NGG Smart Image Search: from n/a through <= 3.3.3.
Published: 2025-05-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the NGG Smart Image Search plugin allows improper neutralization of input during web page generation, leading to a stored cross‑site scripting (XSS) flaw. An attacker can inject malicious script that is persisted by the plugin and executed in the browsers of any user viewing the affected content. This can result in session hijacking, defacement, or theft of sensitive data due to the persistence of the payload.

Affected Systems

The flaw affects the wpo‑HR NGG Smart Image Search plugin for WordPress, specifically all versions from the earliest available build up to and including version 3.3.3. Users of any WordPress installation running a vulnerable edition of this plugin are potentially impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation. The flaw is not listed in the CISA KEV catalog. The likely attack vector is the web interface where users can submit or store content that the plugin does not properly sanitize. Exploitation would require placement of malicious payload in a field that persists in the database, which is then rendered in future page views. Given these conditions, an attacker with access to the content entry points could achieve the stored XSS attack.

Generated by OpenCVE AI on May 1, 2026 at 08:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the NGG Smart Image Search plugin to the latest available version to address the input sanitization flaw.
  • If an immediate update is not possible, remove or disable the plugin until a patched version is available to eliminate the attack surface.
  • When the plugin is functional, ensure that all user‑input fields that are stored and rendered are properly sanitized using WordPress functions such as wp_kses and that a Content Security Policy is in place to restrict script execution.

Generated by OpenCVE AI on May 1, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13821 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpo-HR NGG Smart Image Search allows Stored XSS. This issue affects NGG Smart Image Search: from n/a through 3.3.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpo-HR NGG Smart Image Search allows Stored XSS. This issue affects NGG Smart Image Search: from n/a through 3.3.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpo-HR NGG Smart Image Search ngg-smart-image-search allows Stored XSS.This issue affects NGG Smart Image Search: from n/a through <= 3.3.3.
Title WordPress NGG Smart Image Search <= 3.3.3 - Cross Site Scripting (XSS) Vulnerability WordPress NGG Smart Image Search plugin <= 3.3.3 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00039}

 epss

{'score': 0.00045}

Thu, 08 May 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpo-HR NGG Smart Image Search allows Stored XSS. This issue affects NGG Smart Image Search: from n/a through 3.3.3.
Title WordPress NGG Smart Image Search <= 3.3.3 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wpo-hr Ngg Smart Image Search
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:43.063Z

Reserved: 2025-05-07T09:39:23.017Z

Link: CVE-2025-47503

cve-icon Vulnrichment

Updated: 2025-05-08T16:03:30.691Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T15:16:04.867

Modified: 2026-04-23T15:30:21.117

Link: CVE-2025-47503

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:00:12Z

Weaknesses