Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HappyDevs TempTool [Show Current Template Info] current-template-name allows Stored XSS.This issue affects TempTool [Show Current Template Info]: from n/a through <= 1.3.1.
Published: 2025-12-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows stored cross‑site scripting through improper input neutralization in the TempTool [Show Current Template Info] plugin. A crafted input can be saved to the database and served to users in a generated web page, potentially enabling attacker‑controlled script execution in the context of the site visitor’s browser. The flaw falls under CWE‑79 and could result in session hijacking, data theft, or site defacement.

Affected Systems

The issue affects the HappyDevs TempTool [Show Current Template Info] WordPress plugin on all versions up to and including 1.3.1. No other variants are listed as vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% shows a very low, but non‑zero, likelihood of exploitation in the wild. The vulnerability is not yet listed in the CISA KEV catalog. Based on the description, the most likely attack vector is a reusable script inserted via an administrative input or settings page that will then be rendered to all site visitors. Successful exploitation requires access to the plugin configuration interface or a method to inject data that the plugin stores and later displays.

Generated by OpenCVE AI on April 29, 2026 at 18:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the TempTool plugin to a version newer than 1.3.1 that contains the fixed input handling.
  • If an upgrade is not immediately possible, deactivate the plugin to eliminate the entry point for XSS.
  • Deploy a web application firewall rule to block script payloads and configure a strict Content‑Security‑Policy header to restrict inline script execution.

Generated by OpenCVE AI on April 29, 2026 at 18:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HappyDevs TempTool allows Stored XSS.This issue affects TempTool: from n/a through 1.3.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HappyDevs TempTool [Show Current Template Info] current-template-name allows Stored XSS.This issue affects TempTool [Show Current Template Info]: from n/a through <= 1.3.1.
Title WordPress TempTool plugin <= 1.3.1 - Cross Site Scripting (XSS) vulnerability WordPress TempTool [Show Current Template Info] plugin <= 1.3.1 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 22 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Dec 2025 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sun, 21 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HappyDevs TempTool allows Stored XSS.This issue affects TempTool: from n/a through 1.3.1.
Title WordPress TempTool plugin <= 1.3.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:06.278Z

Reserved: 2025-10-24T14:24:35.376Z

Link: CVE-2025-62926

cve-icon Vulnrichment

Updated: 2025-12-22T16:18:02.688Z

cve-icon NVD

Status : Deferred

Published: 2025-12-21T22:15:48.657

Modified: 2026-04-23T15:34:48.297

Link: CVE-2025-62926

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T18:45:17Z

Weaknesses