Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pondol Pondol BBS pondol-bbs allows Stored XSS.This issue affects Pondol BBS: from n/a through <= 1.1.8.4.
Published: 2026-01-22
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Pondol BBS plugin for WordPress fails to properly neutralize user input before rendering it in web pages, creating a stored cross‑site scripting flaw identified as CWE‑79. A malicious user can inject script payloads into fields that the plugin retains, which are then served to any visitor of the site, enabling the attacker to execute code in the victim’s browser.

Affected Systems

WordPress sites that have the Pondol BBS plugin in any version up to and including 1.1.8.4 are affected. This includes all releases from the earliest available through 1.1.8.4.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. EPSS is under 1 %, suggesting a low chance of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to embed malicious payloads into user‑editable fields provided by the plugin; these payloads are then stored and later served to other users via normal web requests, so the attack vector is web‑based through ordinary use of the plugin.

Generated by OpenCVE AI on May 2, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Pondol BBS plugin to a version newer than 1.1.8.4 to apply the XSS fix.
  • If an upgrade is not possible, restrict stored content to plain text and strip any potentially dangerous markup before rendering the data to users.
  • Disable or remove the Pondol BBS plugin if it is not essential to site functionality.

Generated by OpenCVE AI on May 2, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Mon, 26 Jan 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pondol Pondol BBS pondol-bbs allows Stored XSS.This issue affects Pondol BBS: from n/a through <= 1.1.8.4.
Title WordPress Pondol BBS plugin <= 1.1.8.4 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:01.070Z

Reserved: 2025-06-04T09:42:27.085Z

Link: CVE-2025-49336

cve-icon Vulnrichment

Updated: 2026-01-26T21:59:45.729Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:15:56.277

Modified: 2026-06-17T09:31:07.480

Link: CVE-2025-49336

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:00:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')