Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ickata Image Editor by Pixo image-editor-by-pixo allows DOM-Based XSS.This issue affects Image Editor by Pixo: from n/a through <= 2.3.8.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a DOM‑based Cross‑Site Scripting flaw in the Ickata Image Editor by Pixo plugin. Improper neutralization of input during web page generation allows an attacker to inject malicious scripts that execute in the victim’s browser. The impact is that an attacker can run arbitrary code, deface the site, steal cookies or session data, and perform other client‑side attacks.

Affected Systems

The affected product is Ickata Image Editor by Pixo for WordPress, any release with a version number up to and including 2.3.8. No other vendors or product lines are listed.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS score of less than 1 % shows a very low probability of exploitation in the wild, and the vulnerability is not found in CISA’s KEV catalog. The flaw requires the victim to visit a page that loads the untrusted input into the DOM; therefore the attack vector is through the web interface of the plugin. An attacker can exploit the issue by crafting a URL or injecting a value that is rendered by the image editor page. Because it is DOM based, the vulnerability is triggered client‑side and can be bypassed by using any user‑facing entry point that passes data to the editor.

Generated by OpenCVE AI on April 30, 2026 at 01:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Image Editor by Pixo plugin to version 2.3.9 or later.
  • If an upgrade cannot be applied immediately, consider removing the plugin until a fix is available.
  • As a fast remediation, disable or sanitize any input fields that the image editor uses, preventing script tags from being rendered.
  • Deploy a web application firewall rule that blocks or strips script tags from the image editor inputs as an intermediate security layer.

Generated by OpenCVE AI on April 30, 2026 at 01:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30580 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ickata Image Editor by Pixo allows DOM-Based XSS. This issue affects Image Editor by Pixo: from n/a through 2.3.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ickata Image Editor by Pixo allows DOM-Based XSS. This issue affects Image Editor by Pixo: from n/a through 2.3.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ickata Image Editor by Pixo image-editor-by-pixo allows DOM-Based XSS.This issue affects Image Editor by Pixo: from n/a through <= 2.3.8.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ickata Image Editor by Pixo allows DOM-Based XSS. This issue affects Image Editor by Pixo: from n/a through 2.3.8.
Title WordPress Image Editor by Pixo Plugin <= 2.3.8 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T01:02:51.350Z

Reserved: 2025-08-27T16:19:35.848Z

Link: CVE-2025-58232

cve-icon Vulnrichment

Updated: 2025-09-23T15:56:28.601Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:08.343

Modified: 2026-04-23T15:33:21.010

Link: CVE-2025-58232

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T01:30:24Z

Weaknesses