Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AntoineH Football Pool football-pool allows Stored XSS.This issue affects Football Pool: from n/a through <= 2.12.5.
Published: 2025-06-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic stored XSS flaw caused by improper neutralization of input during web page generation. It allows an attacker to inject and persist malicious JavaScript that will run in the browser of any user who views the affected content. The weakness corresponds to CWE‑79 and can compromise the confidentiality, integrity, and availability of user data by enabling phishing, cookie theft, or manipulation of site content.

Affected Systems

Vendors: AntoineH; Product: Football Pool plugin for WordPress. Vulnerable versions are all releases up through 2.12.5, meaning any installation of 2.12.5 or earlier is affected.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate impact. The EPSS score of less than 1% suggests the vulnerability is not widely exploited at the time of this analysis, and it is not listed in the CISA KEV catalog. Attackers would need the ability to submit content or otherwise influence the plugin’s stored data, typically requiring authenticated access or privilege escalation. Once the malicious code is stored, any user who views the affected content will have the script executed within their browser, potentially leading to phishing or credential theft.

Generated by OpenCVE AI on April 30, 2026 at 10:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Football Pool plugin to the latest available version (at least 2.12.6).
  • If an upgrade is not immediately possible, temporarily disable the plugin or remove it from the site to prevent new data from being stored.
  • Apply a web‑application firewall or content‑security‑policy that blocks or sanitizes injected JavaScript to mitigate the risk while a patch is applied.

Generated by OpenCVE AI on April 30, 2026 at 10:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19357 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AntoineH Football Pool allows Stored XSS. This issue affects Football Pool: from n/a through 2.12.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AntoineH Football Pool allows Stored XSS. This issue affects Football Pool: from n/a through 2.12.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AntoineH Football Pool football-pool allows Stored XSS.This issue affects Football Pool: from n/a through <= 2.12.5.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 27 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AntoineH Football Pool allows Stored XSS. This issue affects Football Pool: from n/a through 2.12.5.
Title WordPress Football Pool plugin <= 2.12.5 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:22.855Z

Reserved: 2025-06-27T11:58:42.673Z

Link: CVE-2025-53280

cve-icon Vulnrichment

Updated: 2025-06-27T13:49:33.728Z

cve-icon NVD

Status : Deferred

Published: 2025-06-27T14:15:49.303

Modified: 2026-04-23T15:32:25.007

Link: CVE-2025-53280

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T10:15:34Z

Weaknesses