Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sayan Datta WP Last Modified Info wp-last-modified-info allows Stored XSS.This issue affects WP Last Modified Info: from n/a through <= 1.9.2.
Published: 2025-10-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Last Modified Info plugin contains an improper neutralization of input during web page generation, enabling a stored XSS flaw where malicious JavaScript can be injected and later rendered to site visitors. This can lead to session hijacking, defacement, or arbitrary script execution on the website, impacting the confidentiality, integrity, and user experience.

Affected Systems

WordPress sites that have the WP Last Modified Info plugin version 1.9.2 or earlier, developed by Sayan Datta, are affected. The flaw exists in all releases from the earliest public version up through 1.9.2.

Risk and Exploitability

This vulnerability has a CVSS score of 6.5, indicating moderate risk. The EPSS score of less than 1% suggests a low probability of exploitation at present, and it is not listed in the CISA KEV catalog. The attack vector is through the plugin’s handling of user‑supplied content; based on the description, it is inferred that an attacker must possess privileges sufficient to submit or edit content that routes through the plugin’s insecure logic, but such privileges are typically available to authenticated users with content‑creation rights.

Generated by OpenCVE AI on April 29, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Last Modified Info to version 1.9.3 or newer.
  • If the plugin is not required, uninstall or remove it entirely from the WordPress installation.
  • If the plugin must remain in use and an upgrade is not possible, constrain input by applying a web‑application firewall rule that blocks common XSS payloads targeting the plugin’s pages or implement output encoding for any data stored by the plugin.

Generated by OpenCVE AI on April 29, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Sayandatta
Sayandatta wp Last Modified Info
Wordpress
Wordpress wordpress
Vendors & Products Sayandatta
Sayandatta wp Last Modified Info
Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Oct 2025 02:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sayan Datta WP Last Modified Info wp-last-modified-info allows Stored XSS.This issue affects WP Last Modified Info: from n/a through <= 1.9.2.
Title WordPress WP Last Modified Info plugin <= 1.9.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Sayandatta Wp Last Modified Info
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:58:48.262Z

Reserved: 2025-10-24T14:25:01.200Z

Link: CVE-2025-62968

cve-icon Vulnrichment

Updated: 2025-10-27T15:05:10.438Z

cve-icon NVD

Status : Deferred

Published: 2025-10-27T02:15:57.213

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-62968

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:30:15Z

Weaknesses