Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kontur.us kontur Admin Style kontur-admin-style allows Stored XSS.This issue affects kontur Admin Style: from n/a through <= 1.0.4.
Published: 2025-09-26
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The kontur Admin Style WordPress plugin contains a stored XSS flaw caused by incorrect input neutralization. An attacker who can inject content into the plugin can store malicious JavaScript that is executed whenever a site visitor loads the affected page. This can lead to session hijacking, credential theft, defacement, or the execution of arbitrary scripts within the site‑admin context. The weakness aligns with CWE‑79: Improper Neutralization of Input During HTML Generation.

Affected Systems

WordPress sites that have the kontur Admin Style plugin version 1.0.4 or earlier installed. The plugin is distributed by kontur.us and is referenced in the WordPress plug‑in repository. Any site running the affected versions is potentially vulnerable until the plugin is updated or removed.

Risk and Exploitability

The CVSS score of 5.9 indicates medium severity, while the EPSS score of < 1% suggests that active exploitation is unlikely at present. The vulnerability is not listed in CISA KEV. The attack requires the ability to inject data via the plugin, typically achievable by an account with content‑editing privileges or an administrator. Because the payload is stored, even a single successful injection provides persistent access to all subsequent page views until the content is purged or the plugin is updated.

Generated by OpenCVE AI on April 29, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kontur Admin Style plugin to the latest released version that removes the stored XSS flaw. If no patch is available, permanently uninstall the plugin.
  • Restrict write access to plugin configuration and content fields to only trusted administrators, or disable any functionality that permits user‑supplied content that is rendered without sanitization.
  • Deploy a web application firewall or security plugin such as Wordfence or Sucuri that can detect and block XSS injection attempts, and enable logging of suspicious input.

Generated by OpenCVE AI on April 29, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31228 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kontur.us kontur Admin Style allows Stored XSS. This issue affects kontur Admin Style: from n/a through 1.0.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kontur.us kontur Admin Style allows Stored XSS. This issue affects kontur Admin Style: from n/a through 1.0.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kontur.us kontur Admin Style kontur-admin-style allows Stored XSS.This issue affects kontur Admin Style: from n/a through <= 1.0.4.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kontur.us kontur Admin Style allows Stored XSS. This issue affects kontur Admin Style: from n/a through 1.0.4.
Title WordPress kontur Admin Style Plugin <= 1.0.4 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:57.109Z

Reserved: 2025-09-25T15:28:27.830Z

Link: CVE-2025-60185

cve-icon Vulnrichment

Updated: 2025-09-26T13:15:59.962Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T09:15:48.300

Modified: 2026-04-23T15:34:21.873

Link: CVE-2025-60185

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:00:14Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')