Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tmatsuur Slightly troublesome permalink slightly-troublesome-permalink allows Stored XSS.This issue affects Slightly troublesome permalink: from n/a through <= 1.2.0.
Published: 2025-09-22
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Slightly troublesome permalink WordPress plugin contains a Stored Cross‑Site Scripting flaw that allows malicious scripts to be saved and later served to site visitors. Any attacker who can submit data through the plugin’s input fields may store code that will then execute in the browsers of users who view the affected content.

Affected Systems

The vulnerability affects the tmatsuur Slightly troublesome permalink plugin for all releases up through version 1.2.0, including earlier unspecified versions.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate risk level, while a low EPSS score of < 1% suggests that exploitation is uncommon in the wild. The plug‑in is not listed in CISA KEV. The likely attack vector involves an attacker entering malicious input via the plugin’s fields, which is stored unfiltered and later rendered, causing script execution in visitors’ browsers.

Generated by OpenCVE AI on April 30, 2026 at 06:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Slightly troublesome permalink plugin to a version newer than 1.2.0 if an update is available.
  • If no update is available, temporarily disable the plugin until a patch is released.
  • Add input validation or a web‑application firewall rule that removes or sanitizes script tags and other executable payloads from content managed by the plugin.

Generated by OpenCVE AI on April 30, 2026 at 06:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30692 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tmatsuur Slightly troublesome permalink allows Stored XSS. This issue affects Slightly troublesome permalink: from n/a through 1.2.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tmatsuur Slightly troublesome permalink allows Stored XSS. This issue affects Slightly troublesome permalink: from n/a through 1.2.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tmatsuur Slightly troublesome permalink slightly-troublesome-permalink allows Stored XSS.This issue affects Slightly troublesome permalink: from n/a through <= 1.2.0.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 24 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tmatsuur Slightly troublesome permalink allows Stored XSS. This issue affects Slightly troublesome permalink: from n/a through 1.2.0.
Title WordPress Slightly troublesome permalink Plugin <= 1.2.0 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:39.348Z

Reserved: 2025-08-22T11:36:51.669Z

Link: CVE-2025-57959

cve-icon Vulnrichment

Updated: 2025-09-24T15:19:06.725Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:15:54.700

Modified: 2026-04-23T15:33:08.007

Link: CVE-2025-57959

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T06:45:16Z

Weaknesses