Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Space Studio Click & Tweet allows Stored XSS. This issue affects Click & Tweet: from n/a through 0.8.9.
Published: 2025-09-26
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation allows attackers to store malicious scripts in the Space Studio Click & Tweet plugin, leading to stored Cross‑site Scripting. An attacker could craft payloads that are persisted by the plugin and then trigger execution when a victim views or interacts with the affected content, potentially compromising the victim’s browser session, leaking credentials, or defacing the site.

Affected Systems

Space Studio Click & Tweet plugin, versions n/a through 0.8.9, are affected. All instances of the plugin installed at or below version 0.8.9 are vulnerable.

Risk and Exploitability

The CVSS score of 5.9 indicates a medium severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the current environment. The vulnerability is not listed in CISA’s KEV catalog. Likely exploitation requires an attacker to submit data to the plugin that is stored and later rendered in a user’s browser. Successful exploitation would allow script execution in the context of the site, enabling data theft or site defacement.

Generated by OpenCVE AI on April 29, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Click & Tweet plugin to the latest available version to remove the stored XSS flaw.
  • If an upgrade is not available, uninstall or disable the plugin to eliminate the vulnerability.
  • As a temporary measure, purge or sanitize any existing content created via the plugin and implement a strict Content Security Policy to block execution of injected scripts.

Generated by OpenCVE AI on April 29, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31231 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Space Studio Click &amp; Tweet allows Stored XSS. This issue affects Click &amp; Tweet: from n/a through 0.8.9.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Space Studio Click &amp; Tweet click-tweet allows Stored XSS.This issue affects Click &amp; Tweet: from n/a through <= 0.8.9. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Space Studio Click & Tweet allows Stored XSS. This issue affects Click & Tweet: from n/a through 0.8.9.
References

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Space Studio Click &amp; Tweet allows Stored XSS. This issue affects Click &amp; Tweet: from n/a through 0.8.9. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Space Studio Click &amp; Tweet click-tweet allows Stored XSS.This issue affects Click &amp; Tweet: from n/a through <= 0.8.9.
References

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Space Studio Click &amp; Tweet allows Stored XSS. This issue affects Click &amp; Tweet: from n/a through 0.8.9.
Title WordPress Click & Tweet Plugin <= 0.8.9 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:56.787Z

Reserved: 2025-09-25T15:28:27.829Z

Link: CVE-2025-60179

cve-icon Vulnrichment

Updated: 2025-09-26T13:18:39.240Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T09:15:47.790

Modified: 2026-04-28T19:34:40.440

Link: CVE-2025-60179

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:00:14Z

Weaknesses