Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Anshul Gangrade Custom Background Changer custom-background-changer allows Stored XSS.This issue affects Custom Background Changer: from n/a through <= 3.0.
Published: 2025-12-31
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input during web page generation allows an attacker to store malicious script code within WordPress pages. The stored XSS can be triggered when a user views the affected page, potentially enabling session hijacking, phishing, cookie theft, or defacement of the site. The weakness is a classic input‑validation flaw, classified as CWE‑79.

Affected Systems

The vulnerability affects the Anshul Gangrade Custom Background Changer plugin for WordPress, specifically all releases from the earliest version through version 3.0. Users running any of these plugin versions are at risk unless the plugin is updated to a fixed release or removed.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% suggests that current exploitation activity is rare. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an attacker submitting a crafted value through the WordPress administrative interface that the plugin stores and later renders on a page. Based on the description, it is inferred that this requires administrative access to change the background setting.

Generated by OpenCVE AI on April 29, 2026 at 21:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Custom Background Changer plugin to the latest available version (i.e., any release newer than 3.0).
  • If an update is unavailable, remove the plugin entirely from the WordPress installation.
  • If the background changer feature is required, contact the developer to have input sanitization implemented or disable any custom background functionality until a patch is provided.

Generated by OpenCVE AI on April 29, 2026 at 21:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Anshul Gangrade Custom Background Changer custom-background-changer allows Stored XSS.This issue affects Custom Background Changer: from n/a through 3.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Anshul Gangrade Custom Background Changer custom-background-changer allows Stored XSS.This issue affects Custom Background Changer: from n/a through <= 3.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 31 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 31 Dec 2025 13:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Anshul Gangrade Custom Background Changer custom-background-changer allows Stored XSS.This issue affects Custom Background Changer: from n/a through 3.0.
Title WordPress Custom Background Changer plugin <= 3.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:02.288Z

Reserved: 2025-10-07T15:41:41.479Z

Link: CVE-2025-62125

cve-icon Vulnrichment

Updated: 2025-12-31T15:06:55.704Z

cve-icon NVD

Status : Deferred

Published: 2025-12-31T13:15:41.650

Modified: 2026-04-23T15:34:35.323

Link: CVE-2025-62125

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T22:00:07Z

Weaknesses