Description
Unauthenticated Cross Site Scripting (XSS) in SweetDate Core < 1.1.5 versions.
Published: 2026-06-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Untrusted input is reflected back to the user’s browser without proper sanitization, allowing an attacker to inject arbitrary JavaScript. An attacker could execute code in the context of the victim’s session, potentially stealing cookies, defacing the site, or redirecting users to malicious destinations. The vulnerability is classified as an unauthenticated XSS flaw and can affect any visitor who loads the affected page.

Affected Systems

The flaw exists in the SweetDate Core plugin for WordPress, released by SeventhQueen. All plugin versions prior to 1.1.5 are vulnerable; any WordPress site that has an older SweetDate Core installation is susceptible. No specific operating system or environment details beyond the WordPress context are provided.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity with considerable impact potential. The EPSS score is not available, so the current likelihood of exploitation is unknown, but because the flaw is unauthenticated and reflected during normal page viewing, it is potentially exploitable by anyone and likely not hidden behind network boundaries. The vulnerability is not listed in the CISA KEV catalog, but site operators should still consider it significant due to the open nature of the attack vector.

Generated by OpenCVE AI on June 18, 2026 at 13:54 UTC.

Remediation

Vendor Solution

Update the WordPress SweetDate Core Plugin to the latest available version (at least 1.1.5).


OpenCVE Recommended Actions

  • Update the SweetDate Core plugin to version 1.1.5 or newer.
  • Disable the SweetDate Core plugin or remove it from the site until a patched version is available.
  • Apply temporary client‑side measures such as a browser security policy or CSP to mitigate reflected XSS until the plugin is updated.

Generated by OpenCVE AI on June 18, 2026 at 13:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Seventhqueen
Seventhqueen sweet Date
Wordpress
Wordpress wordpress
Vendors & Products Seventhqueen
Seventhqueen sweet Date
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in SweetDate Core < 1.1.5 versions.
Title WordPress SweetDate Core plugin < 1.1.5 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Seventhqueen Sweet Date
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:07:32.771Z

Reserved: 2025-12-29T11:19:41.704Z

Link: CVE-2025-69140

cve-icon Vulnrichment

Updated: 2026-06-17T14:07:29.417Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')