Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tormorten WP Microdata wp-microdata allows Stored XSS.This issue affects WP Microdata: from n/a through <= 1.0.
Published: 2025-12-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw (CWE‑79) that permits an attacker to persist malicious scripts in user‑controlled content. When a victim visits a page that renders the compromised content, the script runs with the victim's privileges, enabling theft of session cookies, redirection to phishing sites, or other malicious interactions.

Affected Systems

The flaw is present in the WP Microdata WordPress plugin distributed by tormorten. All versions up to and including 1.0 are affected; newer releases contain a fix that is not detailed in the publicly available information.

Risk and Exploitability

The CVSS base score is 6.5, indicating moderate severity, and the EPSS score is below 1 %, suggesting a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, and there are no publicly known exploits. An attacker would need to craft malicious input that the plugin stores and later displays, implying that the attack surface exists only where the plugin is active and accepts user input.

Generated by OpenCVE AI on April 29, 2026 at 18:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest available version of the WP Microdata plugin or uninstall it if no longer needed.
  • If an immediate upgrade is not feasible, temporarily deactivate the plugin or prevent its execution through WordPress's plugin management interface.
  • Apply server‑side or client‑side sanitization to any content the plugin stores, ensuring no executable scripts can be embedded.

Generated by OpenCVE AI on April 29, 2026 at 18:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tormorten WP Microdata allows Stored XSS.This issue affects WP Microdata: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tormorten WP Microdata wp-microdata allows Stored XSS.This issue affects WP Microdata: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 23 Dec 2025 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Dec 2025 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sun, 21 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tormorten WP Microdata allows Stored XSS.This issue affects WP Microdata: from n/a through 1.0.
Title WordPress WP Microdata plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:05.080Z

Reserved: 2025-10-24T14:24:23.976Z

Link: CVE-2025-62901

cve-icon Vulnrichment

Updated: 2025-12-22T16:17:23.513Z

cve-icon NVD

Status : Deferred

Published: 2025-12-21T22:15:48.487

Modified: 2026-04-23T15:34:44.780

Link: CVE-2025-62901

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T18:45:17Z

Weaknesses