Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Logo Showcase logo-showcase allows Stored XSS.This issue affects Logo Showcase: from n/a through <= 4.0.1.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Logo Showcase plugin contains an improper neutralization of input during web page generation, enabling stored cross‑site scripting. An attacker can save malicious scripts in the plugin’s data fields, which are then rendered unescaped on the site. When a user visits a page displaying that data, the injected script runs in the victim’s browser, potentially allowing session hijacking, credential theft, or malicious redirects. This flaw compromises client‑side integrity and confidentiality but does not grant direct server‑side access.

Affected Systems

The vulnerability affects installations of the Themepoints Logo Showcase plugin for WordPress with versions 4.0.1 or earlier. Any WordPress site running the plugin up to and including that version is at risk; the WordPress core version is irrelevant to the flaw.

Risk and Exploitability

The CVSS score of 6.5 classifies the vulnerability as moderate. The EPSS score of less than 1% indicates a low probability of exploitation at present, and the flaw is not listed in CISA’s KEV catalog. The attack vector is client‑side via a user’s web browser; an attacker can exploit the flaw by supplying crafted input that is stored by the plugin and subsequently displayed on the site. No administrative privileges are required beyond the ability to input data into the plugin’s fields.

Generated by OpenCVE AI on April 30, 2026 at 06:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Logo Showcase plugin to a version that fixes the stored XSS flaw (≥4.0.2 if available; otherwise any release after 4.0.1).
  • If upgrading is not possible, permanently remove or uninstall the plugin to eliminate the entry point for the XSS payload.
  • Implement server‑side input validation and sanitization for all data stored by the plugin and deploy a Content Security Policy that blocks inline scripts.

Generated by OpenCVE AI on April 30, 2026 at 06:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30483 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Logo Showcase allows Stored XSS. This issue affects Logo Showcase: from n/a through 3.0.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Logo Showcase allows Stored XSS. This issue affects Logo Showcase: from n/a through 3.0.9. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Logo Showcase logo-showcase allows Stored XSS.This issue affects Logo Showcase: from n/a through <= 4.0.1.
Title WordPress Logo Showcase Plugin <= 3.0.9 - Cross Site Scripting (XSS) Vulnerability WordPress Logo Showcase plugin <= 4.0.1 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Themepoints
Themepoints logo Showcase
Wordpress
Wordpress wordpress
Vendors & Products Themepoints
Themepoints logo Showcase
Wordpress
Wordpress wordpress

Tue, 23 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Logo Showcase allows Stored XSS. This issue affects Logo Showcase: from n/a through 3.0.9.
Title WordPress Logo Showcase Plugin <= 3.0.9 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Themepoints Logo Showcase
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:46.292Z

Reserved: 2025-09-03T09:03:53.070Z

Link: CVE-2025-58684

cve-icon Vulnrichment

Updated: 2025-09-23T13:59:23.923Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:20.043

Modified: 2026-04-23T15:33:35.507

Link: CVE-2025-58684

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T07:00:13Z

Weaknesses