Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in THRIVE - Web Design Gold Coast Photospace Responsive photospace-responsive allows Stored XSS.This issue affects Photospace Responsive: from n/a through <= 2.2.0.
Published: 2025-10-27
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Photospace Responsive plugin contains a stored cross‑site scripting flaw caused by inadequate output escaping, permitting an attacker to inject malicious JavaScript that is later displayed to visitors of the website.

Affected Systems

The vulnerability affects the WordPress Photospace Responsive plugin provided by THRIVE – Web Design Gold Coast. All releases up to and including version 2.2.0 are impacted, so any WordPress site running an affected version is at risk.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, while an EPSS score of < 1 % suggests a very low likelihood of exploitation in the wild; the flaw is not listed in the CISA KEV catalog. The likely attack vector involves an attacker submitting crafted input through the plugin’s content entry fields that is stored and subsequently rendered; this requires the ability to add or modify content via Photospace Responsive. Once the payload is stored, it executes in the browsers of all visitors who load the affected pages.

Generated by OpenCVE AI on April 29, 2026 at 23:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Photospace Responsive plugin to a version newer than 2.2.0.
  • If an upgrade is not immediately possible, disable or uninstall the plugin to eliminate the vulnerable code path.
  • Implement site‑wide XSS protection measures such as a Content Security Policy or additional input sanitization via a reputable WordPress security plugin.

Generated by OpenCVE AI on April 29, 2026 at 23:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 02:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in THRIVE - Web Design Gold Coast Photospace Responsive photospace-responsive allows Stored XSS.This issue affects Photospace Responsive: from n/a through <= 2.2.0.
Title WordPress Photospace Responsive plugin <= 2.2.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:05.019Z

Reserved: 2025-10-24T14:24:16.561Z

Link: CVE-2025-62899

cve-icon Vulnrichment

Updated: 2025-10-27T15:20:30.851Z

cve-icon NVD

Status : Deferred

Published: 2025-10-27T02:15:49.060

Modified: 2026-04-27T18:16:28.537

Link: CVE-2025-62899

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T23:30:22Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')