Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Glen Scott Plugin Security Scanner plugin-security-scanner allows Stored XSS.This issue affects Plugin Security Scanner: from n/a through <= 2.0.2.
Published: 2025-09-22
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from improper neutralization of user-supplied input generated by Glen Scott’s Plugin Security Scanner. The flaw permits attackers to store malicious JavaScript in the plugin’s data handling functions, which is then rendered on web pages viewed by other users. Stored XSS enables the attacker to hijack user sessions, deface sites, or launch phishing attacks without further action beyond the initial injection.

Affected Systems

All installations of the Plugin Security Scanner plugin from any earlier version through 2.0.2 are affected. The product is offered by Glen Scott and used in WordPress environments.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity level. With an EPSS score of less than 1% the likelihood of exploitation is low but not zero, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw by submitting malicious input through the plugin’s interface, which is then stored and later rendered for site visitors. As the issue resides in stored data, any authenticated user who can write data to the plugin can carry out the attack.

Generated by OpenCVE AI on April 30, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Plugin Security Scanner to a version newer than 2.0.2, if such an update is available.
  • If an upgrade cannot be performed immediately, disable or uninstall the vulnerable plugin to block the stored XSS vector.
  • Implement a site-wide Content Security Policy that restricts script execution to trusted sources, reducing the impact of any remaining or future XSS payloads.

Generated by OpenCVE AI on April 30, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30689 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Glen Scott Plugin Security Scanner allows Stored XSS. This issue affects Plugin Security Scanner: from n/a through 2.0.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Glen Scott Plugin Security Scanner allows Stored XSS. This issue affects Plugin Security Scanner: from n/a through 2.0.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Glen Scott Plugin Security Scanner plugin-security-scanner allows Stored XSS.This issue affects Plugin Security Scanner: from n/a through <= 2.0.2.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 24 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Glen Scott Plugin Security Scanner allows Stored XSS. This issue affects Plugin Security Scanner: from n/a through 2.0.2.
Title WordPress Plugin Security Scanner Plugin <= 2.0.2 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:39.207Z

Reserved: 2025-08-22T11:36:40.761Z

Link: CVE-2025-57950

cve-icon Vulnrichment

Updated: 2025-09-24T13:34:38.610Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:15:53.263

Modified: 2026-04-23T15:33:07.110

Link: CVE-2025-57950

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T01:00:13Z

Weaknesses