Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPBean WPB Image Widget wpb-image-widget allows Stored XSS.This issue affects WPB Image Widget: from n/a through <= 1.1.
Published: 2025-09-05
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper neutralization of input during web page generation, classified as Cross‑Site Scripting, was discovered in the WPBean WPB Image Widget plugin. This stored XSS flaw permits an attacker to inject arbitrary JavaScript into pages rendered by the plugin, potentially leading to defacement, credential theft or session hijacking of visitors who view affected pages. The weakness is identified as CWE‑79.

Affected Systems

The vulnerability affects the WPBean WPB Image Widget plugin for WordPress. All releases from the initial version through version 1.1 are impacted.

Risk and Exploitability

The calculated CVSS score is 6.5, indicating a moderate severity. The EPSS score is less than 1 percent, suggesting a low probability of widespread exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, further indicating limited active exploitation. Likely exploitation requires an attacker with access to the WordPress administration interface or the ability to embed malicious content within the widget, which would then be served to unsuspecting site visitors.

Generated by OpenCVE AI on April 30, 2026 at 02:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest WPB Image Widget plugin version (greater than 1.1) or uninstall the plugin if no replacement is available.
  • Limit the widget’s input to trusted data by restricting upload permissions or sanitizing content at the entry point.
  • Monitor site traffic and logs for signs of successful XSS exploitation and perform regular security scans for widget content integrity.

Generated by OpenCVE AI on April 30, 2026 at 02:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26919 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPBean WPB Image Widget allows Stored XSS. This issue affects WPB Image Widget: from n/a through 1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPBean WPB Image Widget allows Stored XSS. This issue affects WPB Image Widget: from n/a through 1.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPBean WPB Image Widget wpb-image-widget allows Stored XSS.This issue affects WPB Image Widget: from n/a through <= 1.1.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Sun, 07 Sep 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 05 Sep 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Sep 2025 14:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPBean WPB Image Widget allows Stored XSS. This issue affects WPB Image Widget: from n/a through 1.1.
Title WordPress WPB Image Widget Plugin <= 1.1 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-13T00:11:55.592Z

Reserved: 2025-09-05T10:49:57.446Z

Link: CVE-2025-58858

cve-icon Vulnrichment

Updated: 2025-09-05T19:51:58.782Z

cve-icon NVD

Status : Deferred

Published: 2025-09-05T14:16:00.743

Modified: 2026-04-23T15:33:46.390

Link: CVE-2025-58858

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T02:15:25Z

Weaknesses