Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in akdevs Genealogical Tree genealogical-tree allows Stored XSS.This issue affects Genealogical Tree: from n/a through <= 2.2.7.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The akdevs Genealogical Tree WordPress plugin contains a flaw where user input is not properly neutralized before being rendered on a page. This improper input handling allows attackers to store arbitrary script code in the plugin’s data fields, which will be executed in the browsers of visitors who view the affected content. The resulting stored cross‑site scripting can lead to data theft, session hijacking, or defacement of the site.

Affected Systems

The vulnerable product is the Genealogical Tree WordPress plugin developed by akdevs. All releases up to and including version 2.2.7 are affected; no specific patch version is listed in the data.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests that active exploitation is currently unlikely. The vulnerability is listed as not in the CISA KEV catalog. The likely attack vector involves an actor who can insert or modify content within the plugin, as stored XSS requires the malicious payload to be saved and later rendered to visitors. This inference is drawn from the description of stored XSS and typical plugin content creation capabilities.

Generated by OpenCVE AI on April 30, 2026 at 06:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Genealogical Tree plugin to any release newer than 2.2.7.
  • If an upgrade is not possible, disable or sanitize the plugin’s data fields that accept user input, or replace the plugin with an alternative that properly validates output.
  • Deploy a web application firewall or enable browser XSS protection headers to block or mitigate the execution of injected scripts.

Generated by OpenCVE AI on April 30, 2026 at 06:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30601 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in akdevs Genealogical Tree allows Stored XSS. This issue affects Genealogical Tree: from n/a through 2.2.5.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in akdevs Genealogical Tree genealogical-tree allows Stored XSS.This issue affects Genealogical Tree: from n/a through <= 2.2.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in akdevs Genealogical Tree genealogical-tree allows Stored XSS.This issue affects Genealogical Tree: from n/a through <= 2.2.7.
Title WordPress Genealogical Tree plugin <= 2.2.8 - Cross Site Scripting (XSS) vulnerability WordPress Genealogical Tree plugin <= 2.2.7 - Cross Site Scripting (XSS) vulnerability

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in akdevs Genealogical Tree genealogical-tree allows Stored XSS.This issue affects Genealogical Tree: from n/a through <= 2.2.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in akdevs Genealogical Tree genealogical-tree allows Stored XSS.This issue affects Genealogical Tree: from n/a through <= 2.2.8.
Title WordPress Genealogical Tree plugin <= 2.2.7 - Cross Site Scripting (XSS) vulnerability WordPress Genealogical Tree plugin <= 2.2.8 - Cross Site Scripting (XSS) vulnerability
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in akdevs Genealogical Tree allows Stored XSS. This issue affects Genealogical Tree: from n/a through 2.2.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in akdevs Genealogical Tree genealogical-tree allows Stored XSS.This issue affects Genealogical Tree: from n/a through <= 2.2.7.
Title WordPress Genealogical Tree Plugin <= 2.2.5 - Cross Site Scripting (XSS) Vulnerability WordPress Genealogical Tree plugin <= 2.2.7 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 23 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in akdevs Genealogical Tree allows Stored XSS. This issue affects Genealogical Tree: from n/a through 2.2.5.
Title WordPress Genealogical Tree Plugin <= 2.2.5 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:40.750Z

Reserved: 2025-08-22T11:37:50.459Z

Link: CVE-2025-58023

cve-icon Vulnrichment

Updated: 2025-09-23T14:39:26.658Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:04.670

Modified: 2026-04-28T19:34:03.223

Link: CVE-2025-58023

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T06:45:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')