Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sitesearch-yandex Yandex Site search pinger yandex-pinger allows Stored XSS.This issue affects Yandex Site search pinger: from n/a through <= 1.5.
Published: 2025-08-28
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Yandex Site search pinger WordPress plugin contains a stored cross‑site scripting flaw that occurs when the plugin accepts user input during search page generation without proper neutralization, allowing an attacker to inject malicious JavaScript that is then served to all visitors of the affected pages. This injected code can execute in users’ browsers, enabling session hijacking, credential theft, defacement, or other attacks that compromise confidentiality, integrity, and availability of the site and its visitors.

Affected Systems

All WordPress sites that have the Yandex Site search pinger plugin installed with a version up to and including 1.5 are affected; no specific WordPress core version requirements are listed, so the vulnerability applies to any site running that plugin version regardless of the core release.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, and the vulnerability is not flagged in CISA’s KEV catalog. Based on the plugin’s functionality, the likely attack vector involves manipulating the search or other input fields to embed and store malicious scripts, which are then rendered in public pages visited by users.

Generated by OpenCVE AI on April 30, 2026 at 15:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Yandex Site search pinger plugin to version 1.6 or later once the vendor releases a patch.
  • If an upgrade is not feasible, remove or disable the plugin to eliminate the vulnerability.
  • Apply a site‑wide Content Security Policy that blocks inline scripts to mitigate the impact of any remaining XSS payloads.

Generated by OpenCVE AI on April 30, 2026 at 15:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26026 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sitesearch-yandex Yandex Site search pinger allows Stored XSS. This issue affects Yandex Site search pinger: from n/a through 1.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sitesearch-yandex Yandex Site search pinger allows Stored XSS. This issue affects Yandex Site search pinger: from n/a through 1.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sitesearch-yandex Yandex Site search pinger yandex-pinger allows Stored XSS.This issue affects Yandex Site search pinger: from n/a through <= 1.5.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Thu, 28 Aug 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 28 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sitesearch-yandex Yandex Site search pinger allows Stored XSS. This issue affects Yandex Site search pinger: from n/a through 1.5.
Title WordPress Yandex Site search pinger plugin <= 1.5 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:57.438Z

Reserved: 2025-05-19T14:41:42.787Z

Link: CVE-2025-48352

cve-icon Vulnrichment

Updated: 2025-08-28T17:34:06.961Z

cve-icon NVD

Status : Deferred

Published: 2025-08-28T13:15:54.943

Modified: 2026-04-23T15:31:09.777

Link: CVE-2025-48352

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T15:45:40Z

Weaknesses