Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP WPComplete wpcomplete allows Stored XSS.This issue affects WPComplete: from n/a through <= 2.9.5.2.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs when the StellarWP WPComplete WordPress plugin fails to neutralize user input before rendering it in generated web pages, allowing attackers to store malicious scripts. This stored XSS can run in the browsers of any user who views the affected content, potentially leading to session hijacking, defacement, or arbitrary code execution in the browser context. The weakness is defined as CWE‑79, a classic input‑validation flaw.

Affected Systems

WordPress sites that run the StellarWP WPComplete plugin version 2.9.5.2 or earlier are susceptible. The issue is present across all affected releases up through 2.9.5.2; newer releases are not affected.

Risk and Exploitability

The CVSS score of 6.5 reflects a moderate impact, yet the EPSS score of less than 1% indicates a very low probability of exploitation at present. It is not listed in the CISA KEV catalog. Likely attackers would need to inject the payload via the plugin interface or any user‑submittable field that is stored and rendered by the plugin, and then entice a victim administrator or user to visit the affected page to execute the script.

Generated by OpenCVE AI on April 30, 2026 at 06:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WPComplete plugin to a version newer than 2.9.5.2 (install the latest release).
  • If an upgrade cannot be performed immediately, disable or remove the WPComplete plugin from the site to eliminate the vulnerable code path.
  • Implement a web application firewall rule or similar input‑validation filter to block common XSS payload patterns when the plugin is enabled.

Generated by OpenCVE AI on April 30, 2026 at 06:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30489 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP WPComplete allows Stored XSS. This issue affects WPComplete: from n/a through 2.9.5.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP WPComplete allows Stored XSS. This issue affects WPComplete: from n/a through 2.9.5.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP WPComplete wpcomplete allows Stored XSS.This issue affects WPComplete: from n/a through <= 2.9.5.2.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP WPComplete allows Stored XSS. This issue affects WPComplete: from n/a through 2.9.5.2.
Title WordPress WPComplete Plugin <= 2.9.5.2 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:50.809Z

Reserved: 2025-09-06T04:45:16.549Z

Link: CVE-2025-58974

cve-icon Vulnrichment

Updated: 2025-09-23T17:47:51.236Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:22.957

Modified: 2026-04-23T15:33:58.503

Link: CVE-2025-58974

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T06:15:29Z

Weaknesses