Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Tauqeer CubeWP cubewp-framework allows Stored XSS.This issue affects CubeWP: from n/a through <= 1.1.26.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper neutralization of input during web page generation in the CubeWP plugin for WordPress allows stored cross‑site scripting; attackers could submit malicious scripts that are stored and subsequently executed in the browsers of any site visitor when the affected page is rendered. The assertion that all site visitors are impacted is inferred from the description but not explicitly stated in the advisory.

Affected Systems

All WordPress installations that use the CubeWP plugin from Imran Tauqeer with a version number of 1.1.26 or earlier are affected. No newer releases have been reported to contain this flaw.

Risk and Exploitability

The vulnerability resides in plugin input fields that lack proper sanitization, allowing an attacker who can submit data to store scripts that are later rendered in the page view. The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to inject malicious script via any input endpoint exposed by the plugin, and any authenticated or unauthenticated user capable of submitting content could potentially trigger the stored XSS when normal users view the affected page.

Generated by OpenCVE AI on May 1, 2026 at 06:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CubeWP to version 1.1.27 or later.
  • Limit the use of CubeWP content‑editing capabilities to trusted administrators and remove any unnecessary user roles that can submit plugin content.
  • Apply a web‑application firewall or a security plugin that actively sanitizes user input and blocks inline script execution to mitigate the risk if an upgrade cannot be performed immediately.

Generated by OpenCVE AI on May 1, 2026 at 06:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30510 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emraan Cheema CubeWP allows Stored XSS. This issue affects CubeWP: from n/a through 1.1.26.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emraan Cheema CubeWP allows Stored XSS. This issue affects CubeWP: from n/a through 1.1.26. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Tauqeer CubeWP cubewp-framework allows Stored XSS.This issue affects CubeWP: from n/a through <= 1.1.26.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Cubewp
Cubewp cubewp
Wordpress
Wordpress wordpress
Vendors & Products Cubewp
Cubewp cubewp
Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emraan Cheema CubeWP allows Stored XSS. This issue affects CubeWP: from n/a through 1.1.26.
Title WordPress CubeWP Plugin <= 1.1.26 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Cubewp Cubewp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:52.675Z

Reserved: 2025-09-17T18:01:02.999Z

Link: CVE-2025-59569

cve-icon Vulnrichment

Updated: 2025-09-23T17:48:08.750Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:25.127

Modified: 2026-04-23T15:34:04.630

Link: CVE-2025-59569

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:30:10Z

Weaknesses