Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in inspectlet Inspectlet – User Session Recording and Heatmaps inspectlet-heatmaps-and-user-session-recording allows Stored XSS.This issue affects Inspectlet – User Session Recording and Heatmaps: from n/a through <= 2.0.
Published: 2025-08-14
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the description, this is a stored XSS vulnerability caused by improper neutralization of user‑supplied data before it is rendered in a web page in the Inspectlet – User Session Recording and Heatmaps WordPress plugin. When an attacker can insert malicious JavaScript into the plugin’s stored data, that code runs in every visitor’s browser, enabling session hijacking, credential theft, or further malware delivery. The weakness is identified as CWE‑79, a classic client‑side scripting flaw.

Affected Systems

WordPress sites that have installed the Inspectlet – User Session Recording and Heatmaps plugin version 2.0 or earlier are affected, any site regardless of theme or other plugins.

Risk and Exploitability

The CVSS score of 5.9 reflects moderate seriousness, while an EPSS score of less than 1 % indicates a very low probability of exploitation at present. The vulnerability can be leveraged when an attacker can create or modify data that the plugin stores—likely through an administrative or write‑capable interface. The description does not explicitly state authentication or role requirements, so the exact attack surface depends on the site's configuration and the permissions granted to users. This flaw is not listed in the CISA KEV catalog, so the current threat level is low but can rise if the plugin remains unpatched.

Generated by OpenCVE AI on May 1, 2026 at 06:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Inspectlet – User Session Recording and Heatmaps plugin to a version that contains the XSS fix
  • If a patch is not immediately available, disable or uninstall the plugin to remove the vulnerable code path
  • Apply a web application firewall or enforce a content security policy that blocks or filters any malicious scripts stored by the plugin

Generated by OpenCVE AI on May 1, 2026 at 06:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24758 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in inspectlet Inspectlet &#8211; User Session Recording and Heatmaps allows Stored XSS. This issue affects Inspectlet &#8211; User Session Recording and Heatmaps: from n/a through 2.0.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in inspectlet Inspectlet &#8211; User Session Recording and Heatmaps inspectlet-heatmaps-and-user-session-recording allows Stored XSS.This issue affects Inspectlet &#8211; User Session Recording and Heatmaps: from n/a through <= 2.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in inspectlet Inspectlet – User Session Recording and Heatmaps inspectlet-heatmaps-and-user-session-recording allows Stored XSS.This issue affects Inspectlet – User Session Recording and Heatmaps: from n/a through <= 2.0.

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in inspectlet Inspectlet &#8211; User Session Recording and Heatmaps allows Stored XSS. This issue affects Inspectlet &#8211; User Session Recording and Heatmaps: from n/a through 2.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in inspectlet Inspectlet &#8211; User Session Recording and Heatmaps inspectlet-heatmaps-and-user-session-recording allows Stored XSS.This issue affects Inspectlet &#8211; User Session Recording and Heatmaps: from n/a through <= 2.0.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Thu, 14 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in inspectlet Inspectlet &#8211; User Session Recording and Heatmaps allows Stored XSS. This issue affects Inspectlet &#8211; User Session Recording and Heatmaps: from n/a through 2.0.
Title WordPress Inspectlet – User Session Recording and Heatmaps plugin <= 2.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:57.908Z

Reserved: 2025-05-30T14:04:34.997Z

Link: CVE-2025-49048

cve-icon Vulnrichment

Updated: 2025-08-14T14:17:51.950Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:36.930

Modified: 2026-04-28T19:32:48.873

Link: CVE-2025-49048

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:00:06Z

Weaknesses