Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Directory Pro directory-pro allows DOM-Based XSS.This issue affects Directory Pro: from n/a through <= 2.5.5.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Directory Pro, a WordPress plugin from e‑plugins, contains an improper neutralization of user‑controlled input that allows a DOM‑based cross‑site scripting vulnerability. An attacker can embed malicious script payloads that execute in a victim’s browser when the user interacts with a crafted page or plugin interface, potentially enabling cookie theft, session hijacking, or defacement of site content. This flaw falls under CWE‑79 and directly compromises the confidentiality and integrity of user data exposed through the affected plugin.

Affected Systems

The vulnerability affects all installations of the Directory Pro plugin up to and including version 2.5.5. No other vendors or product families are listed as impacted.

Risk and Exploitability

With a CVSS score of 6.5 the flaw is considered moderate, and the EPSS score of less than 1 % indicates a low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an attacker crafting a malicious URL or input that is then rendered by the browser in the context of the vulnerable plugin; successful exploitation requires an unsuspecting victim to visit or interact with the manipulated page.

Generated by OpenCVE AI on April 30, 2026 at 00:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Directory Pro to version 2.5.6 or later, applying the vendor’s official patch that sanitizes all input before rendering.
  • If an immediate upgrade is not possible, disable the Directory Pro plugin or restrict its use to trusted administrators only to prevent accidental exploitation.
  • Verify that any remaining form inputs are properly sanitized and escape any user‑supplied data before inclusion in page output.

Generated by OpenCVE AI on April 30, 2026 at 00:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30673 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Directory Pro allows DOM-Based XSS. This issue affects Directory Pro: from n/a through 2.5.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Directory Pro allows DOM-Based XSS. This issue affects Directory Pro: from n/a through 2.5.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Directory Pro directory-pro allows DOM-Based XSS.This issue affects Directory Pro: from n/a through <= 2.5.5.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared E-plugins
E-plugins directory Pro
Wordpress
Wordpress wordpress
Vendors & Products E-plugins
E-plugins directory Pro
Wordpress
Wordpress wordpress

Tue, 23 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Directory Pro allows DOM-Based XSS. This issue affects Directory Pro: from n/a through 2.5.5.
Title WordPress Directory Pro Plugin <= 2.5.5 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

E-plugins Directory Pro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:39.186Z

Reserved: 2025-08-22T11:36:40.760Z

Link: CVE-2025-57948

cve-icon Vulnrichment

Updated: 2025-09-23T14:16:42.428Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:15:52.930

Modified: 2026-04-23T15:33:06.887

Link: CVE-2025-57948

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T01:00:13Z

Weaknesses