Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MS WP Visual Sitemap wp-visual-sitemap allows Stored XSS.This issue affects WP Visual Sitemap: from n/a through <= 1.0.2.
Published: 2025-06-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper Neutralization of Input During Web Page Generation, classified as CWE‑79, allows stored cross‑site scripting in the WP Visual Sitemap plugin. An attacker can inject malicious scripts that execute in the browsers of any user who views a page rendered by the plugin, potentially leading to session hijacking, defacement, or credential theft.

Affected Systems

The WordPress WP Visual Sitemap plugin distributed by MS is affected. All releases up through version 1.0.2 contain the flaw, so sites running any of those versions are vulnerable.

Risk and Exploitability

The CVSS score of 6.5 reflects moderate severity. The EPSS score is under 1 percent, and the vulnerability is not listed in the CISA KEV catalog, indicating a low observed exploitation rate. Nonetheless, because the flaw is stored and does not require authentication, an attacker can embed a malicious payload via the plugin’s web interface that will be served to every site visitor, making the risk moderate with a low but real likelihood of exploitation.

Generated by OpenCVE AI on April 30, 2026 at 10:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Visual Sitemap plugin to the latest released version; newer releases contain the fix.
  • If an upgrade cannot be performed immediately, remove or deactivate the plugin to stop any stored scripts from being served.
  • After upgrading or removing, verify that no residual malicious script data remains in the database, for example by scanning for unexpected script tags.

Generated by OpenCVE AI on April 30, 2026 at 10:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19405 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MS WP Visual Sitemap allows Stored XSS. This issue affects WP Visual Sitemap: from n/a through 1.0.2.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anonymized-15272943 WP Visual Sitemap wp-visual-sitemap allows Stored XSS.This issue affects WP Visual Sitemap: from n/a through <= 1.0.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MS WP Visual Sitemap wp-visual-sitemap allows Stored XSS.This issue affects WP Visual Sitemap: from n/a through <= 1.0.2.

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MS WP Visual Sitemap wp-visual-sitemap allows Stored XSS.This issue affects WP Visual Sitemap: from n/a through <= 1.0.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anonymized-15272943 WP Visual Sitemap wp-visual-sitemap allows Stored XSS.This issue affects WP Visual Sitemap: from n/a through <= 1.0.2.
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MS WP Visual Sitemap allows Stored XSS. This issue affects WP Visual Sitemap: from n/a through 1.0.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MS WP Visual Sitemap wp-visual-sitemap allows Stored XSS.This issue affects WP Visual Sitemap: from n/a through <= 1.0.2.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 27 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MS WP Visual Sitemap allows Stored XSS. This issue affects WP Visual Sitemap: from n/a through 1.0.2.
Title WordPress WP Visual Sitemap plugin <= 1.0.2 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:22.747Z

Reserved: 2025-06-27T11:58:53.299Z

Link: CVE-2025-53290

cve-icon Vulnrichment

Updated: 2025-06-27T14:34:22.285Z

cve-icon NVD

Status : Deferred

Published: 2025-06-27T14:15:50.597

Modified: 2026-04-28T19:33:35.920

Link: CVE-2025-53290

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T10:15:34Z

Weaknesses