Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aviplugins.com Custom Post Type Attachment custom-post-type-pdf-attachment allows Stored XSS.This issue affects Custom Post Type Attachment: from n/a through <= 3.4.6.
Published: 2025-10-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from improper neutralization of input when generating a web page, allowing malicious scripts to be stored and later executed in the browsers of any visitor to the affected page. An attacker can inject JavaScript through the plugin’s custom post type feature, leading to potential theft of user credentials, session hijacking, defacement, or phishing attacks delivered from the compromised site.

Affected Systems

AviPlugins’ Custom Post Type Attachment plugin, custom-post-type-pdf-attachment, is vulnerable in all releases from the earliest available version up to and including 3.4.6.

Risk and Exploitability

With a CVSS score of 6.5, the flaw is considered moderate severity. The EPSS score of less than 1% indicates that at the current time exploitation is unlikely, and the vulnerability is not listed in the CISA KEV catalog. Still, an attacker could exploit the flaw by creating or editing a custom post type or attachment that includes the injected script, which will then be rendered to any user who views that content. The overall risk is moderate, but mitigations should be applied promptly to prevent potential client‑side compromise.

Generated by OpenCVE AI on April 29, 2026 at 20:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Custom Post Type Attachment plugin to version 3.4.7 or later, which removes the XSS flaw.
  • If an immediate update is not possible, disable the plugin or replace it with an alternative that properly sanitizes content before rendering.
  • Limit the ability to create or edit custom post types and attachments to trusted administrators only, reducing the opportunity to inject malicious scripts.
  • Adopt general best practices for WordPress sites: enforce strict input validation and output encoding for all user‑supplied content to guard against future injection vulnerabilities.

Generated by OpenCVE AI on April 29, 2026 at 20:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 02:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aviplugins.com Custom Post Type Attachment custom-post-type-pdf-attachment allows Stored XSS.This issue affects Custom Post Type Attachment: from n/a through <= 3.4.6.
Title WordPress Custom Post Type Attachment plugin <= 3.4.6 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:05.701Z

Reserved: 2025-10-24T14:24:23.977Z

Link: CVE-2025-62907

cve-icon Vulnrichment

Updated: 2025-10-27T15:18:17.044Z

cve-icon NVD

Status : Deferred

Published: 2025-10-27T02:15:50.043

Modified: 2026-04-27T18:16:29.493

Link: CVE-2025-62907

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T20:45:19Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')