Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rbaer Simple Matomo Tracking Code simple-matomo-tracking-code allows Stored XSS.This issue affects Simple Matomo Tracking Code: from n/a through <= 1.1.0.
Published: 2025-09-03
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored input‑validation flaw (CWE‑79) that permits an attacker to inject malicious script into the WordPress site through the Simple Matomo Tracking Code plugin. Once stored, the script is rendered in users’ browsers, potentially enabling session hijacking, cookie theft, or other client‑side attacks. The impact is limited to client‑side compromise unless the injected script in turn accesses privileged data or triggers further server‑side exploits.

Affected Systems

This flaw affects all installations of the rbaer Simple Matomo Tracking Code WordPress plugin in versions n/a through 1.1.0. Users of any WordPress site running these plugin versions are at risk, regardless of site ownership or configuration level.

Risk and Exploitability

With a CVSS score of 5.9 the vulnerability is classified as medium and the EPSS score of under 1% suggests a low probability of exploitation at this time; the vulnerability is not in the CISA KEV catalog. In practice, a likely attack vector would involve an attacker with sufficient privileges to add or modify plugin settings, since the stored XSS originates from data persisted in the plugin. Exploitation would then affect all visitors to the affected site.

Generated by OpenCVE AI on April 30, 2026 at 02:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Simple Matomo Tracking Code plugin to a version newer than 1.1.0, which contains the fixed input sanitization.
  • If an update is not immediately possible, disable or uninstall the plugin to eliminate the storage of malicious scripts.
  • Apply strict output‑encoding or input sanitization rules to the plugin’s options or any stored data to prevent future injection attacks.

Generated by OpenCVE AI on April 30, 2026 at 02:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26540 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rbaer Simple Matomo Tracking Code allows Stored XSS. This issue affects Simple Matomo Tracking Code: from n/a through 1.1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rbaer Simple Matomo Tracking Code allows Stored XSS. This issue affects Simple Matomo Tracking Code: from n/a through 1.1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rbaer Simple Matomo Tracking Code simple-matomo-tracking-code allows Stored XSS.This issue affects Simple Matomo Tracking Code: from n/a through <= 1.1.0.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 03 Sep 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Rbaer
Rbaer simple Matomo Tracking Code Plugin
Wordpress
Wordpress wordpress
Vendors & Products Rbaer
Rbaer simple Matomo Tracking Code Plugin
Wordpress
Wordpress wordpress

Wed, 03 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Sep 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rbaer Simple Matomo Tracking Code allows Stored XSS. This issue affects Simple Matomo Tracking Code: from n/a through 1.1.0.
Title WordPress Simple Matomo Tracking Code Plugin <= 1.1.0 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Rbaer Simple Matomo Tracking Code Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:44.553Z

Reserved: 2025-09-03T09:03:04.976Z

Link: CVE-2025-58630

cve-icon Vulnrichment

Updated: 2025-09-03T17:36:06.349Z

cve-icon NVD

Status : Deferred

Published: 2025-09-03T15:15:46.007

Modified: 2026-04-23T15:33:29.617

Link: CVE-2025-58630

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T03:00:15Z

Weaknesses