Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZEEN101 IssueM issuem allows DOM-Based XSS.This issue affects IssueM: from n/a through <= 2.9.0.
Published: 2025-09-03
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The IssueM WordPress plugin contains a DOM‑based XSS flaw caused by improper neutralization of input during web page generation. The vulnerability allows an attacker to inject malicious JavaScript that is reflected into the browser's DOM, potentially enabling client‑side attacks. This weakness is a classic input‑validation issue identified as CWE‑79.

Affected Systems

All installations of the ZEEN101 IssueM plugin from its initial release through version 2.9.0 are affected. Any user on a site running one of those releases may be vulnerable to a DOM‑based XSS attack.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, while the EPSS score of less than 1 % suggests a low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector involves an attacker providing crafted input—such as data entered into a form field or a URL parameter—that the plugin echoes into the DOM, leading to execution of the injected script.

Generated by OpenCVE AI on May 2, 2026 at 01:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the IssueM plugin to any version newer than 2.9.0 to remove the XSS flaw.
  • Implement a Content Security Policy that blocks inline scripts and limits the execution of untrusted JavaScript on the site.
  • If an immediate upgrade is not possible, temporarily disable plugin features that reflect unsanitized user input into the DOM, such as ticket comments or custom fields, until a patched version is applied.

Generated by OpenCVE AI on May 2, 2026 at 01:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26539 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZEEN101 IssueM allows DOM-Based XSS. This issue affects IssueM: from n/a through 2.9.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZEEN101 IssueM allows DOM-Based XSS. This issue affects IssueM: from n/a through 2.9.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZEEN101 IssueM issuem allows DOM-Based XSS.This issue affects IssueM: from n/a through <= 2.9.0.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 03 Sep 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Zeen101
Zeen101 issuem Plugin
Vendors & Products Wordpress
Wordpress wordpress
Zeen101
Zeen101 issuem Plugin

Wed, 03 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Sep 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZEEN101 IssueM allows DOM-Based XSS. This issue affects IssueM: from n/a through 2.9.0.
Title WordPress IssueM Plugin <= 2.9.0 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
Zeen101 Issuem Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-13T00:07:21.782Z

Reserved: 2025-09-03T09:03:04.976Z

Link: CVE-2025-58631

cve-icon Vulnrichment

Updated: 2025-09-03T17:35:58.725Z

cve-icon NVD

Status : Deferred

Published: 2025-09-03T15:15:46.197

Modified: 2026-04-23T15:33:29.713

Link: CVE-2025-58631

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:15:06Z

Weaknesses