Description
The StageShow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘anchor’ parameter in all versions up to, and including, 10.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-06
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) via anchor parameter
Action: Patch Now
AI Analysis

Impact

The StageShow plugin for WordPress allows an authenticated Contributor or higher to persist malicious JavaScript by sending arbitrary code through the anchor parameter. The server stores the data without sufficient input sanitization or output escaping, resulting in stored cross‑site scripting. An attacker can then trick users who view the affected page to run the script in their browser, potentially hijacking sessions, modifying content, or delivering malware. This flaw aligns with CWE‑79.

Affected Systems

The vulnerability exists in all releases of the StageShow plugin up to and including version 10.0.3. The affected product is the StageShow WordPress plugin published by the StageShow Project. The plugin is available on the WordPress Plugin Directory and can be installed by site administrators on any WordPress installation that uses this plugin.

Risk and Exploitability

The CVSS score of 6.4 marks the issue as medium severity, and the EPSS score of less than 1% indicates a low likelihood of exploitation at this time. The flaw is not listed in the CISA KEV catalog. Because an attacker must be authenticated, the attack vector requires at least Contributor privileges, which limits exposure to sites with up‑to‑date role assignments. Nonetheless, any site that accepts Contributor users remains vulnerable until the plugin is updated or the flaw is mitigated.

Generated by OpenCVE AI on April 21, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update StageShow to version 10.0.4 or later, which removes the unsanitized anchor parameter handling.
  • If an update is not possible, remove or downgrade any Contributor roles that can post anchor content to prevent injection.
  • As a temporary safeguard, limit access to the plugin’s administration pages or disable the functionality that uses the anchor parameter until a patch is available.

Generated by OpenCVE AI on April 21, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17078 The StageShow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘anchor’ parameter in all versions up to, and including, 10.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00037}

 epss

{'score': 0.00035}

Tue, 15 Jul 2025 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Stageshow Project
Stageshow Project stageshow
CPEs cpe:2.3:a:stageshow_project:stageshow:*:*:*:*:*:wordpress:*:*
Vendors & Products Stageshow Project
Stageshow Project stageshow

Fri, 06 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Jun 2025 07:00:00 +0000

Type Values Removed Values Added
Description The StageShow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘anchor’ parameter in all versions up to, and including, 10.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title StageShow <= 10.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via anchor Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Stageshow Project Stageshow
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:57:46.136Z

Reserved: 2025-06-04T22:01:22.219Z

Link: CVE-2025-5703

cve-icon Vulnrichment

Updated: 2025-06-06T15:43:21.881Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-06T07:15:30.463

Modified: 2025-07-15T17:15:17.927

Link: CVE-2025-5703

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:30:27Z

Weaknesses