Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ONTRAPORT PilotPress pilotpress allows Stored XSS.This issue affects PilotPress: from n/a through <= 2.0.36.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from improper neutralization of user input when generating web pages, enabling a stored cross‑site scripting (XSS) flaw in ONTRAPORT’s PilotPress WordPress plugin. Attackers can inject arbitrary JavaScript code that is then executed in the browsers of visitors to pages that render data from the plugin. The injected script can steal session cookies, deface content, or facilitate further phishing attacks, compromising the confidentiality and integrity of user sessions and potentially the website’s displayed content.

Affected Systems

The flaw affects all installations of PilotPress on WordPress up to version 2.0.36. The affected product is the PilotPress plugin developed by Ontraport. Site owners running an affected version are exposed, regardless of the size of their audience.

Risk and Exploitability

The CVSS base score of 6.5 indicates a moderate severity risk. The EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation at this time. However, stored XSS remains a classic vector for attackers, especially when user‑supplied content is rendered without proper sanitization. An attacker could provoke vulnerable users or target any page that incorporates PilotPress content, potentially hijacking their sessions or injecting malicious scripts.

Generated by OpenCVE AI on April 30, 2026 at 01:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the PilotPress plugin to version 2.0.37 or later, which removes the XSS flaw.
  • Ensure that any existing content created before the patch does not contain malicious scripts by using a content scanning tool or by manually removing suspicious JavaScript.
  • As a temporary safeguard, implement a Content Security Policy that disallows inline scripts and restricts JavaScript origins to trusted domains, reducing the impact of any unpatched XSS.

Generated by OpenCVE AI on April 30, 2026 at 01:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30571 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ONTRAPORT PilotPress allows Stored XSS. This issue affects PilotPress: from n/a through 2.0.35.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ONTRAPORT PilotPress allows Stored XSS. This issue affects PilotPress: from n/a through 2.0.35. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ONTRAPORT PilotPress pilotpress allows Stored XSS.This issue affects PilotPress: from n/a through <= 2.0.36.
Title WordPress PilotPress Plugin <= 2.0.35 - Cross Site Scripting (XSS) Vulnerability WordPress PilotPress Plugin <= 2.0.36 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Ontraport
Ontraport pilotpress
Wordpress
Wordpress wordpress
Vendors & Products Ontraport
Ontraport pilotpress
Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ONTRAPORT PilotPress allows Stored XSS. This issue affects PilotPress: from n/a through 2.0.35.
Title WordPress PilotPress Plugin <= 2.0.35 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Ontraport Pilotpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:42.797Z

Reserved: 2025-08-27T16:19:35.849Z

Link: CVE-2025-58238

cve-icon Vulnrichment

Updated: 2025-09-23T15:57:11.805Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:09.253

Modified: 2026-04-23T15:33:21.687

Link: CVE-2025-58238

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T01:30:24Z

Weaknesses