Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in stanton119 WordPress HTML custom-html-bodyhead allows Stored XSS.This issue affects WordPress HTML: from n/a through <= 0.51.
Published: 2025-08-28
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WordPress HTML custom‑html‑bodyhead plugin contains an improper neutralization of input during page generation, allowing malicious script code to be stored in the database and subsequently delivered to browsers without escaping. This stored XSS flaw means that any script injected through the plugin interface can execute in the context of visitors who view the affected page, potentially exposing session data or defacing content.

Affected Systems

Vendor stanton119 publishes the WordPress HTML custom‑html‑bodyhead plugin. Versions of the plugin up to and including 0.51 are affected. WordPress site operators using these versions of the plugin are susceptible unless the plugin is removed or upgraded beyond 0.51.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate impact, reflecting the need for an attacker to write content via the plugin interface and the resulting effect on designated users. The EPSS score of under 1 % shows that the likelihood of current exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires access to the plugin’s administrative interface; once malicious content is stored, the XSS payload will be triggered whenever the page containing the data is rendered for any browser.

Generated by OpenCVE AI on May 1, 2026 at 06:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress HTML custom‑html‑bodyhead plugin to a release newer than 0.51 if available
  • If an upgrade is not possible, uninstall or disable the plugin to stop processing user‑supplied content
  • Apply proper input validation and output escaping, such as using esc_html() or esc_attr() in the plugin, to ensure user‑entered data is sanitized before storage or rendering

Generated by OpenCVE AI on May 1, 2026 at 06:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26043 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in stanton119 WordPress HTML allows Stored XSS. This issue affects WordPress HTML: from n/a through 0.51.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in stanton119 WordPress HTML allows Stored XSS. This issue affects WordPress HTML: from n/a through 0.51. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in stanton119 WordPress HTML custom-html-bodyhead allows Stored XSS.This issue affects WordPress HTML: from n/a through <= 0.51.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Thu, 28 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in stanton119 WordPress HTML allows Stored XSS. This issue affects WordPress HTML: from n/a through 0.51.
Title WordPress WordPress HTML plugin <= 0.51 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:56.656Z

Reserved: 2025-05-19T14:13:53.900Z

Link: CVE-2025-48315

cve-icon Vulnrichment

Updated: 2025-08-28T13:33:47.024Z

cve-icon NVD

Status : Deferred

Published: 2025-08-28T13:15:42.720

Modified: 2026-04-23T15:31:05.400

Link: CVE-2025-48315

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:45:11Z

Weaknesses