Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cjjparadoxmax Synergy Project Manager synergy-project-manager allows Stored XSS.This issue affects Synergy Project Manager: from n/a through <= 1.5.
Published: 2026-01-22
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, allowing attackers to inject malicious script code. When the data is later rendered, the script executes in the victim’s browser. The risk to confidentiality, integrity, or availability depends on how the script is used, but typical outcomes include defacement, session hijacking, or redirecting users to malicious sites. This weakness is classified as CWE‑79.

Affected Systems

Synergy Project Manager, a WordPress plugin developed by cjjparadoxmax, is affected in all releases up to and including version 1.5. Any WordPress installation that has a vulnerable instance of this plugin is at risk.

Risk and Exploitability

The CVSS score of 5.8 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that exploitation would involve submitting malicious input through the plugin’s interface, which is then stored and served to other users. Once the malicious code is stored, any subsequent view of the affected page will trigger it, making the attack path straightforward after initial abuse. The vulnerability is easiest to exploit on sites where the plugin accepts user‑generated input without proper sanitization.

Generated by OpenCVE AI on April 29, 2026 at 12:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Synergy Project Manager plugin to a version newer than 1.5 if an updated release is available.
  • If the plugin is not required for site functionality, deactivate or uninstall it to eliminate the vulnerability.
  • Use a web application firewall or implement server‑side input sanitization on the plugin’s form fields to block future injection attempts.

Generated by OpenCVE AI on April 29, 2026 at 12:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Cjjparadoxmax
Cjjparadoxmax synergy Project Manager
Wordpress
Wordpress wordpress
Vendors & Products Cjjparadoxmax
Cjjparadoxmax synergy Project Manager
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cjjparadoxmax Synergy Project Manager synergy-project-manager allows Stored XSS.This issue affects Synergy Project Manager: from n/a through <= 1.5.
Title WordPress Synergy Project Manager plugin <= 1.5 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Cjjparadoxmax Synergy Project Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:07:32.851Z

Reserved: 2025-12-24T14:00:47.909Z

Link: CVE-2025-68898

cve-icon Vulnrichment

Updated: 2026-01-27T21:23:19.936Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:13.470

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68898

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:00:06Z

Weaknesses