Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ronald Huereca Highlight and Share highlight-and-share allows Stored XSS.This issue affects Highlight and Share: from n/a through <= 5.1.1.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, which allows attackers to inject malicious scripts that are stored in the plugin’s data and executed in the browsers of other users. Because the plugin accepts unfiltered content, an attacker could embed JavaScript that runs in the context of the site, potentially hijacking user sessions, defacing content, or stealing credentials.

Affected Systems

This issue affects the WordPress Highlight and Share plugin, a social text and image sharing extension built by Ronald Huereca, and applies to all installations running version 5.1.1 or earlier.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests the probability of a public exploit is low at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to submit crafted content that the plugin stores without proper sanitization, making exploitation straightforward for anyone with content‑creation privileges. If an attacker succeeds, the injected script executes in the browsers of all visitors who view the affected content, granting the attacker the same privileges as the user whose browser is impacted.

Generated by OpenCVE AI on April 30, 2026 at 01:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Highlight and Share plugin to the latest version that includes the XSS fix (>= 5.1.2).
  • If an update is not yet available, delete or neutralize any stored content that might contain untrusted input, and enforce strict input validation on custom fields.
  • Apply a reputable web application firewall rule that blocks or escapes script tags injected into content before they reach the database or rendering layer.

Generated by OpenCVE AI on April 30, 2026 at 01:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30569 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ronald Huereca Highlight and Share – Social Text and Image Sharing allows Stored XSS. This issue affects Highlight and Share – Social Text and Image Sharing: from n/a through 5.1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ronald Huereca Highlight and Share – Social Text and Image Sharing allows Stored XSS. This issue affects Highlight and Share – Social Text and Image Sharing: from n/a through 5.1.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ronald Huereca Highlight and Share highlight-and-share allows Stored XSS.This issue affects Highlight and Share: from n/a through <= 5.1.1.
Title WordPress Highlight and Share – Social Text and Image Sharing Plugin <= 5.1.1 - Cross Site Scripting (XSS) Vulnerability WordPress Highlight and Share – Social Text and Image Sharing plugin <= 5.1.1 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Ronald Huereca
Ronald Huereca highlight And Share
Wordpress
Wordpress wordpress
Vendors & Products Ronald Huereca
Ronald Huereca highlight And Share
Wordpress
Wordpress wordpress

Tue, 23 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ronald Huereca Highlight and Share – Social Text and Image Sharing allows Stored XSS. This issue affects Highlight and Share – Social Text and Image Sharing: from n/a through 5.1.1.
Title WordPress Highlight and Share – Social Text and Image Sharing Plugin <= 5.1.1 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Ronald Huereca Highlight And Share
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:56:46.289Z

Reserved: 2025-08-27T16:19:53.147Z

Link: CVE-2025-58260

cve-icon Vulnrichment

Updated: 2025-09-23T13:58:59.353Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:12.323

Modified: 2026-04-23T15:33:24.160

Link: CVE-2025-58260

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T01:45:06Z

Weaknesses