Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brewlabs SensorPress allows Stored XSS. This issue affects SensorPress: from n/a through 1.0.
Published: 2025-08-20
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a stored XSS vulnerability that permits an attacker to inject malicious script into the web page presented by SensorPress. This flaw arises from improper neutralization of user input when generating content for the plugin’s pages, a problem identified as CWE‑79. When exploited, the injected script can run in the browser of any visitor, allowing the attacker to hijack sessions, steal credentials, deface pages, or perform further phishing attacks. The vulnerability is classified with a CVSS score of 9.8, indicating a high potential for damage across confidentiality and integrity.

Affected Systems

The vulnerability affects the SensorPress plugin from brewlabs, spanning all releases up to and including version 1.0. User installations of this plugin, regardless of WordPress site size or purpose, are susceptible if the affected version remains in use.

Risk and Exploitability

Despite the very low EPSS score (<1%), the CVSS rating signals a severe risk if an attacker can harness the injection point. The attack vector is inferred to be local or remote input in the plugin’s configuration interface that is stored and replayed in web pages viewed by any user, suggesting that the exploit could be performed by an attacker who can authenticate to the WordPress admin or by delivering a crafted URL that triggers the stored payload. The vulnerability is not listed in CISA KEV, so no known active exploitation campaigns have been reported at present.

Generated by OpenCVE AI on April 30, 2026 at 08:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest SensorPress update that removes the XSS flaw, or remove the plugin entirely if an update is unavailable.
  • If the plugin must remain, isolate its pages with a strict Content Security Policy that disallows script execution for the plugin’s URLs and whitelist only trusted sources.
  • Monitor the plugin’s release notes and the vendor’s advisory feed for any new patches or hotfixes and ensure the website’s search‑engine crawlers are blocked from loading plugin content before it is fully secured.

Generated by OpenCVE AI on April 30, 2026 at 08:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25296 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brewlabs SensorPress allows Stored XSS. This issue affects SensorPress: from n/a through 1.0.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-502
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in brewlabs Portfolio Manager Pro otw-portfolio-manager allows Object Injection.This issue affects Portfolio Manager Pro: from n/a through 3.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brewlabs SensorPress allows Stored XSS. This issue affects SensorPress: from n/a through 1.0.
Title WordPress Portfolio Manager Pro Plugin 3.8 - PHP Object Injection Vulnerability WordPress SensorPress plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brewlabs SensorPress allows Stored XSS. This issue affects SensorPress: from n/a through 1.0. Deserialization of Untrusted Data vulnerability in brewlabs Portfolio Manager Pro otw-portfolio-manager allows Object Injection.This issue affects Portfolio Manager Pro: from n/a through 3.8.
Title WordPress SensorPress plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability WordPress Portfolio Manager Pro Plugin 3.8 - PHP Object Injection Vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brewlabs SensorPress allows Stored XSS. This issue affects SensorPress: from n/a through 1.0.
Title WordPress SensorPress plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:04.000Z

Reserved: 2025-06-04T15:44:12.381Z

Link: CVE-2025-49409

cve-icon Vulnrichment

Updated: 2025-08-20T13:43:07.305Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:36.027

Modified: 2026-04-28T19:33:05.590

Link: CVE-2025-49409

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:15:32Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')