Description
Unauthenticated Content Injection in Auros Core <= 5.3.1 versions.
Published: 2026-06-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker to inject arbitrary HTML or JavaScript into WordPress content via the Auros Core plugin's content fields without authentication. As a result, a visitor to the compromised site could execute client‑side code leading to session hijacking, defacement, or tracking. The weakness is rooted in insufficient input validation, as identified by CWE‑80.

Affected Systems

The issue affects the Auros Core WordPress plugin version 5.3.1 and earlier, developed by Opal_WP. Any WordPress installation that has the plugin enabled and has not been updated beyond 5.3.1 is vulnerable.

Risk and Exploitability

The current CVSS v3.1 score of 5.3 indicates moderate risk. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that broad exploitation activity is not yet documented. Nonetheless, because the plugin processes unsanitized user input and the attack does not require authentication, the threat to sites that rely on Auros Core for content management is significant.

Generated by OpenCVE AI on June 26, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a supported version of the Auros Core plugin (>=5.4) which includes input sanitization for all content fields.
  • If an upgrade is not immediately feasible, disable the plugin’s ability to accept unfiltered user input by configuring it to strip or escape HTML and JavaScript before storing it.
  • Employ a site‑wide content filtering tool or security plugin that sanitizes all post content to prevent injection of malicious scripts.
  • Audit existing posts and embedded content for hidden scripts or malicious links, and remove any that are discovered.

Generated by OpenCVE AI on June 26, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Content Injection in Auros Core <= 5.3.1 versions.
Title WordPress Auros Core plugin <= 5.3.1 - Content Injection vulnerability
Weaknesses CWE-80
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T14:52:13.210Z

Reserved: 2025-11-06T13:11:11.071Z

Link: CVE-2025-64637

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T16:30:03Z

Weaknesses
  • CWE-80

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)