Description
The Wp chart generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpchart shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-08-12
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via the wpchart shortcode
Action: Patch
AI Analysis

Impact

The Wp chart generator plugin for WordPress is vulnerable to stored cross‑site scripting through its wpchart shortcode. All versions up to and including 1.0.4 allow an attacker who is authenticated with contributor or higher privileges to supply attributes that are not properly sanitized or escaped. These attributes can contain arbitrary JavaScript, which will be rendered and executed whenever an end‑user views a page that contains the injected shortcode. The vulnerability does not grant file upload or remote code execution features, but it enables script execution in the context of site visitors.

Affected Systems

The affected product is the Wp chart generator plugin developed by emilien. Versions 1.0.4 and earlier are affected, as indicated by the vulnerability range notation. No other versions are listed as vulnerable.

Risk and Exploitability

The CVSS score of 6.4 classifies the issue as moderate severity. The EPSS score of < 1 % suggests that exploitation attempts are currently considered unlikely. The vulnerability is not listed in the CISA KEV catalog. Because an authenticated account with contributor or higher privileges is required, the risk is confined to sites that have such accounts or where credentials might be compromised. Once a malicious user injects the script, it will execute for any site visitor who views the modified page.

Generated by OpenCVE AI on April 22, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Wp chart generator plugin to a version newer than 1.0.4 to eliminate the stored XSS vulnerability.
  • If an upgrade cannot be performed immediately, remove or deactivate the wpchart shortcode from all posts and pages to prevent further injection.
  • Apply content sanitization rules that enforce proper escaping of shortcode attributes, ensuring that only trusted users with appropriate capabilities can add or edit shortcode content, addressing CWE‑79.

Generated by OpenCVE AI on April 22, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24198 The Wp chart generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpchart shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Thu, 14 Aug 2025 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 Aug 2025 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Emilien
Emilien wp Chart Generator
Wordpress
Wordpress wordpress
Vendors & Products Emilien
Emilien wp Chart Generator
Wordpress
Wordpress wordpress

Tue, 12 Aug 2025 02:30:00 +0000

Type Values Removed Values Added
Description The Wp chart generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpchart shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Wp chart generator <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpchart Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Emilien Wp Chart Generator
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:21.793Z

Reserved: 2025-08-06T21:13:17.182Z

Link: CVE-2025-8685

cve-icon Vulnrichment

Updated: 2025-08-12T13:30:33.532Z

cve-icon NVD

Status : Deferred

Published: 2025-08-12T03:15:29.643

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8685

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T22:30:28Z

Weaknesses