Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NIKITAS GEORGOPOULOS WeShare Buttons e-mailit allows Stored XSS.This issue affects WeShare Buttons: from n/a through <= 13.0.0.
Published: 2025-10-22
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WeShare Buttons plugin contains a stored cross‑site scripting flaw that permits arbitrary JavaScript code to be saved through the plugin’s configuration interface and later rendered in web pages. When a page that references the stored data is viewed, the embedded script executes in the visitor’s browser.

Affected Systems

All installations of the WeShare Buttons plugin from NIKITAS GEORGOPOULOS that are version 13.0.0 or earlier are affected.

Risk and Exploitability

The CVSS score of 5.9 classifies this vulnerability as medium severity, and the EPSS score of less than 1% indicates a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The inferred attack vector is stored XSS through the plugin’s configuration interface, which would allow malicious scripts to run in client browsers.

Generated by OpenCVE AI on April 29, 2026 at 20:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WeShare Buttons plugin to a version newer than 13.0.0 to eliminate the XSS flaw.
  • Prior to updating, review and remove any stored configuration or data that may contain malicious scripts.
  • Perform a site‑wide review of the plugin’s usage to ensure no untrusted input can be injected into stored data.

Generated by OpenCVE AI on April 29, 2026 at 20:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NIKITAS GEORGOPOULOS WeShare Buttons e-mailit allows Stored XSS.This issue affects WeShare Buttons: from n/a through <= 13.0.0.
Title WordPress WeShare Buttons Plugin <= 13.0.0 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:38:17.147Z

Reserved: 2025-09-25T15:20:34.879Z

Link: CVE-2025-60135

cve-icon Vulnrichment

Updated: 2025-10-22T20:24:30.891Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:57.173

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-60135

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:00:09Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')