Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in neilgee Bootstrap Modals bootstrap-modals allows Stored XSS.This issue affects Bootstrap Modals: from n/a through <= 1.3.2.
Published: 2025-12-31
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input in the Bootstrap Modals plugin causes stored XSS, allowing an attacker to inject malicious script into modal content that is served to other users. Such script canack sessions, steal credentials, or exfiltrate data when the modal is rendered, representing a classic CWE‑79 weakness.

Affected Systems

The vulnerability affects Neilgee’s Bootstrap Modals plugin for all versions from the first release through 1.3.2. Any WordPress site running the plugin at 1.3.2 or earlier is impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate risk, while the EPSS score of <1% suggests a low probability of exploitation at present. The plugin is not listed in CISA’s KEV catalog. Attackers are likely to exploit the flaw via the plugin’s data‑entry interface, requiring an authenticated user with permission to create or edit modal content. The risk remains moderate due to potential widespread impact if the plugin is employed by many sites, but the low exploitation probability limits immediate threat.

Generated by OpenCVE AI on April 29, 2026 at 18:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Bootstrap Modals plugin to the latest release (>=1.3.3).
  • Remove or replace any modal content that may contain untrusted data.
  • Disable or delete the plugin if its functionality is no longer needed.

Generated by OpenCVE AI on April 29, 2026 at 18:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Neilgee Bootstrap Modals allows Stored XSS.This issue affects Bootstrap Modals: from n/a through 1.3.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in neilgee Bootstrap Modals bootstrap-modals allows Stored XSS.This issue affects Bootstrap Modals: from n/a through <= 1.3.2.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 31 Dec 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 31 Dec 2025 13:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Neilgee Bootstrap Modals allows Stored XSS.This issue affects Bootstrap Modals: from n/a through 1.3.2.
Title WordPress Bootstrap Modals plugin <= 1.3.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:01.691Z

Reserved: 2025-10-07T15:35:03.407Z

Link: CVE-2025-62095

cve-icon Vulnrichment

Updated: 2025-12-31T13:46:37.216Z

cve-icon NVD

Status : Deferred

Published: 2025-12-31T14:15:51.943

Modified: 2026-04-23T15:34:31.763

Link: CVE-2025-62095

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T18:15:17Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')