Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in morganrichards Auction Feed auction-feed allows Stored XSS.This issue affects Auction Feed: from n/a through <= 1.1.4.
Published: 2025-09-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation that leads to stored XSS in the Auction Feed plugin for WordPress. An attacker who can submit or edit content within the plugin can inject malicious script that will be executed in the browsers of other users who view that content. This can allow cookie theft, session hijacking, defacement, or other client-side compromises. The weakness is classified as CWE-79.

Affected Systems

Affected systems include the WordPress Auction Feed plugin developed by morganrichards, specifically versions from the initial release through 1.1.4. Any WordPress site that has installed a vulnerable version of this plugin is at risk. The impact is limited to sites running these plugin versions.

Risk and Exploitability

The CVSS score of 7.1 places the issue in the high-severity range, but the EPSS score is below 1%, indicating a low probability that exploit code is actively in circulation. The vulnerability is not listed in the CISA KEV catalog. Exploitation would likely involve a user with permission to create or edit auction entries; the attacker would inject JavaScript that is stored and later rendered in the page. Administrators should treat this as a high-risk flaw when controlling access to the plugin’s input forms.

Generated by OpenCVE AI on April 30, 2026 at 01:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Auction Feed plugin to a version newer than 1.1.4 as soon as possible.
  • If an update is not available, remove or disable the plugin to eliminate the vulnerable code.
  • Review user permissions and restrict the ability to add or edit auction listings to trusted users only; consider applying input sanitization or use WordPress built-in esc_html or wp_kses functions to neutralize script tags.

Generated by OpenCVE AI on April 30, 2026 at 01:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30542 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in morganrichards Auction Feed allows Stored XSS. This issue affects Auction Feed: from n/a through 1.1.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in morganrichards Auction Feed allows Stored XSS. This issue affects Auction Feed: from n/a through 1.1.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in morganrichards Auction Feed auction-feed allows Stored XSS.This issue affects Auction Feed: from n/a through <= 1.1.4.
Title WordPress Auction Feed Plugin <= 1.1.3 - Cross Site Request Forgery (CSRF) Vulnerability WordPress Auction Feed plugin <= 1.1.4 - Cross Site Request Forgery (CSRF) vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in morganrichards Auction Feed allows Stored XSS. This issue affects Auction Feed: from n/a through 1.1.3.
Title WordPress Auction Feed Plugin <= 1.1.3 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-13T10:38:53.593Z

Reserved: 2025-09-03T09:03:35.443Z

Link: CVE-2025-58671

cve-icon Vulnrichment

Updated: 2025-09-23T16:03:28.154Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:18.227

Modified: 2026-04-23T15:33:34.000

Link: CVE-2025-58671

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T02:00:13Z

Weaknesses