Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chandrika Sista WP Category Dropdown wp-category-dropdown allows Stored XSS.This issue affects WP Category Dropdown: from n/a through <= 1.9.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Category Dropdown plugin stores user‑provided input directly into an HTML page without proper escaping, creating a stored XSS vulnerability. An attacker who can supply content that the plugin later renders can inject malicious JavaScript that executes in the browsers of visitors who view the affected page. This flaw corresponds to CWE‑79 and allows client‑side code execution whenever the compromised content is displayed.

Affected Systems

All installations of Chandrika Sista’s WP Category Dropdown plugin with a version of 1.9 or earlier are vulnerable. WordPress sites that have not updated the plugin since it reached 1.9 remain at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate overall severity. The EPSS score of less than 1 % signals a low probability of exploitation at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is the plugin’s content‑input interface; it is inferred that a user with permission to create or edit dropdown entries could supply the malicious payload. Successful exploitation would affect anyone who views the rendered page unless additional defenses are in place.

Generated by OpenCVE AI on April 30, 2026 at 06:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Category Dropdown plugin to a version that includes the XSS fix (or to the next available release if 2.0 or later is out).
  • If no update is immediately available, keep the plugin deactivated until a patch is released.
  • Deploy a Web Application Firewall or configure a Content Security Policy that blocks or sanitizes script tags from user‑generated content.

Generated by OpenCVE AI on April 30, 2026 at 06:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30588 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chandrika Sista WP Category Dropdown allows Stored XSS. This issue affects WP Category Dropdown: from n/a through 1.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chandrika Sista WP Category Dropdown allows Stored XSS. This issue affects WP Category Dropdown: from n/a through 1.9. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chandrika Sista WP Category Dropdown wp-category-dropdown allows Stored XSS.This issue affects WP Category Dropdown: from n/a through <= 1.9.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chandrika Sista WP Category Dropdown allows Stored XSS. This issue affects WP Category Dropdown: from n/a through 1.9.
Title WordPress WP Category Dropdown Plugin <= 1.9 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:58:41.213Z

Reserved: 2025-08-27T16:19:35.849Z

Link: CVE-2025-58239

cve-icon Vulnrichment

Updated: 2025-09-23T15:57:18.500Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:09.407

Modified: 2026-04-23T15:33:21.793

Link: CVE-2025-58239

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T06:45:16Z

Weaknesses