Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SAPO SAPO Feed sapo-feed allows Stored XSS.This issue affects SAPO Feed: from n/a through <= 2.4.2.
Published: 2025-09-22
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a stored cross‑site scripting flaw caused by improper neutralization of user input during web page generation. An attacker can inject malicious scripts that are then rendered by the plugin for any user viewing the affected feed. The consequence is that a victim’s browser will execute attacker‑controlled code, potentially leading to session hijacking, data theft, defacement, or other client‑side attacks. The weakness is identified as CWE‑79. The plugin stores the malicious payload, so the impact is local to the WordPress site and affects every user who has the feed displayed.

Affected Systems

The SAPO Feed plugin for WordPress, versions up to and including 2.4.2, is impacted. Any WordPress installation that uses this plugin and has not been updated beyond version 2.4.2 is potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.9 classifies the vulnerability as medium severity. The EPSS score of less than 1 % indicates a very low expected exploitation probability at present. The vulnerability is not listed in the CISA KEV catalogue. Based on the description, the likely attack vector is via the plugin’s input handling—an attacker can supply malicious data that is stored and later rendered to users. Exploitation would require the attacker to submit the payload to the feed, which can be done if the plugin allows user data submission or content authoring. Once stored, any visitor to the affected feed experiences the injected script.

Generated by OpenCVE AI on April 30, 2026 at 06:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest SAPO Feed plugin version, which removes the stored XSS issue.
  • If the plugin cannot be upgraded, disable or uninstall SAPO Feed to eliminate the vulnerable code path.
  • Add a web application firewall rule or content‑security‑policy header that blocks or sanitises XSS payloads before they reach users.

Generated by OpenCVE AI on April 30, 2026 at 06:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30747 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SAPO SAPO Feed allows Stored XSS. This issue affects SAPO Feed: from n/a through 2.4.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SAPO SAPO Feed allows Stored XSS. This issue affects SAPO Feed: from n/a through 2.4.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SAPO SAPO Feed sapo-feed allows Stored XSS.This issue affects SAPO Feed: from n/a through <= 2.4.2.
Title WordPress SAPO Feed Plugin <= 2.4.2 - Cross Site Scripting (XSS) Vulnerability WordPress SAPO Feed plugin <= 2.4.2 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SAPO SAPO Feed allows Stored XSS. This issue affects SAPO Feed: from n/a through 2.4.2.
Title WordPress SAPO Feed Plugin <= 2.4.2 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:25.364Z

Reserved: 2025-06-30T10:46:37.789Z

Link: CVE-2025-53462

cve-icon Vulnrichment

Updated: 2025-09-23T20:24:29.292Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:15:43.337

Modified: 2026-04-23T15:32:34.517

Link: CVE-2025-53462

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T06:30:29Z

Weaknesses