Description
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in colabrio Stockie Extra stockie-extra allows Code Injection.This issue affects Stockie Extra: from n/a through <= 1.2.11.
Published: 2025-12-18
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Stockie Extra WordPress plugin contains a Basic XSS vulnerability due to improper neutralization of script‑related HTML tags, which allows an attacker to inject arbitrary JavaScript into a web page. The flaw arises from the plugin not sanitizing content that may include <script> tags or other executable code. This code injection would execute in the browsers of visitors to the affected site, potentially exposing the site to client‑side exploits.

Affected Systems

The vulnerability affects the colabrio Stockie Extra plugin for WordPress versions through 1.2.11 inclusive. Any WordPress site that has installed this plugin on a version equal to or older than 1.2.11 is exposed, regardless of other plugins or themes.

Risk and Exploitability

The CVSS base score of 6.5 indicates a moderate rating. The EPSS score of less than 1% suggests a low likelihood of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to supply malicious input that bypasses the plugin’s lack of sanitization, typically through content fields or administrative interfaces that accept user‑generated data. The impact is limited to the execution of code in the browsers of site visitors.

Generated by OpenCVE AI on April 30, 2026 at 04:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Stockie Extra to a version later than 1.2.11.
  • If an upgrade cannot be performed immediately, disable or remove the plugin from the site until a patched version is available.
  • Apply content sanitization or a web‑application firewall to block script tags in data submitted through the plugin.

Generated by OpenCVE AI on April 30, 2026 at 04:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in colabrio Stockie Extra stockie-extra allows Code Injection.This issue affects Stockie Extra: from n/a through <= 1.2.11.
Title WordPress Stockie Extra plugin <= 1.2.11 - Content Injection vulnerability
Weaknesses CWE-80
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:11.549Z

Reserved: 2025-10-29T03:08:02.189Z

Link: CVE-2025-64225

cve-icon Vulnrichment

Updated: 2025-12-18T14:40:59.219Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:16:12.287

Modified: 2026-04-27T16:16:35.527

Link: CVE-2025-64225

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T04:45:06Z

Weaknesses