Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpo-HR NGG Smart Image Search ngg-smart-image-search allows Stored XSS.This issue affects NGG Smart Image Search: from n/a through <= 3.4.3.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The NGG Smart Image Search plugin has an improper neutralization of input during web page generation, allowing stored XSS. The flaw permits attacker‑supplied scripts to be embedded in stored data that is later rendered, causing the script to execute in anyone’s browser that views the affected page.

Affected Systems

The vulnerability affects wpo‑HR NGG Smart Image Search plugin version 3.4.3 or earlier. Every WordPress installation that has this plugin up to that version is potentially vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS < 1 % indicates a low likelihood of exploitation at this time, and the issue is not listed in the CISA KEV catalog. The likely attack vector is user‑controlled input that is stored and later displayed; an attacker would need to inject malicious payload through the plugin’s input fields and then have a victim load a page containing that payload.

Generated by OpenCVE AI on April 30, 2026 at 15:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NGG Smart Image Search to version 3.4.4 or later if available
  • If an upgrade is not feasible, disable or uninstall the plugin to remove the vulnerability
  • Apply server‑side input validation and output encoding on plugin‑handled data, or configure a web‑application firewall to block common XSS payloads targeting the plugin’s input fields

Generated by OpenCVE AI on April 30, 2026 at 15:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30625 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpo-HR NGG Smart Image Search allows Stored XSS. This issue affects NGG Smart Image Search: from n/a through 3.4.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpo-HR NGG Smart Image Search allows Stored XSS. This issue affects NGG Smart Image Search: from n/a through 3.4.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpo-HR NGG Smart Image Search ngg-smart-image-search allows Stored XSS.This issue affects NGG Smart Image Search: from n/a through <= 3.4.3.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpo-hr
Wpo-hr ngg Smart Image Search
Vendors & Products Wordpress
Wordpress wordpress
Wpo-hr
Wpo-hr ngg Smart Image Search

Tue, 23 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpo-HR NGG Smart Image Search allows Stored XSS. This issue affects NGG Smart Image Search: from n/a through 3.4.3.
Title WordPress NGG Smart Image Search Plugin <= 3.4.3 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
Wpo-hr Ngg Smart Image Search
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-13T00:21:22.647Z

Reserved: 2025-08-22T11:37:59.647Z

Link: CVE-2025-58027

cve-icon Vulnrichment

Updated: 2025-09-23T14:44:21.245Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:05.127

Modified: 2026-04-23T15:33:15.717

Link: CVE-2025-58027

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T15:15:06Z

Weaknesses