Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP CodeUs WP Proposals allows Stored XSS. This issue affects WP Proposals: from n/a through 2.3.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Proposals plugin accepts user‑supplied input that is stored and later rendered inside web pages without adequate escaping. This flaw permits a malicious actor to embed JavaScript, which is executed in the browsers of visitors to the site, potentially leading to cross‑site scripting attacks. The impact includes theft of session cookies, credential hijacking, defacement of content, and execution of arbitrary actions on behalf of the user. The vulnerability is classified as CWE‑79 and provides a stored attack vector, meaning the malicious payload persists until the affected content is viewed.

Affected Systems

WordPress sites that have the WP Proposals plugin by WP CodeUs installed, version 2.3 or earlier. The plugin’s data forms and stored content are the primary vectors for exploitation.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS score of less than 1% suggests a low likelihood of active exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack path involves submitting crafted input through the plugin’s forms (either via the front‑end or the admin interface) which is then displayed in subsequent page loads, allowing an attacker to execute arbitrary client‑side scripts.

Generated by OpenCVE AI on April 30, 2026 at 00:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Proposals plugin to version 2.4 or later, which removes the unsanitized input handling.
  • If an upgrade cannot be performed immediately, deactivate the plugin or limit access to its input pages until the fix is applied.
  • Apply temporary client‑side sanitization on the plugin’s output by wrapping returned content with wp_kses or a similar escaping function, and enforce strict file permissions so the plugin cannot write arbitrary data.

Generated by OpenCVE AI on April 30, 2026 at 00:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30676 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP CodeUs WP Proposals allows Stored XSS. This issue affects WP Proposals: from n/a through 2.3.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP CodeUs WP Proposals wp-proposals allows Stored XSS.This issue affects WP Proposals: from n/a through <= 2.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP CodeUs WP Proposals allows Stored XSS. This issue affects WP Proposals: from n/a through 2.3.
References

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP CodeUs WP Proposals allows Stored XSS. This issue affects WP Proposals: from n/a through 2.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP CodeUs WP Proposals wp-proposals allows Stored XSS.This issue affects WP Proposals: from n/a through <= 2.3.
References

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 23 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP CodeUs WP Proposals allows Stored XSS. This issue affects WP Proposals: from n/a through 2.3.
Title WordPress WP Proposals Plugin <= 2.3 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:39.601Z

Reserved: 2025-08-22T11:37:02.928Z

Link: CVE-2025-57965

cve-icon Vulnrichment

Updated: 2025-09-23T14:23:05.335Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:15:55.693

Modified: 2026-04-28T19:33:59.283

Link: CVE-2025-57965

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T01:00:13Z

Weaknesses