Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeisle Visualizer allows Stored XSS.

This issue affects Visualizer: from n/a before 4.0.0.
Published: 2026-05-20
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Visualizer plugin contains a stored cross‑site scripting flaw where user input is not properly neutralized during page generation. An attacker who can inject content into the plugin’s storage area can place malicious JavaScript that will run in the browsers of anyone who views the affected pages. This can allow session hijacking, defacement, and the execution of arbitrary client‑side code.

Affected Systems

The weakness exists in Themeisle Visualizer, affecting all versions prior to 4.0.0. Sites that have installed any of those earlier releases and have the plugin enabled are vulnerable.

Risk and Exploitability

The CVSS score of 6.5 classifies the flaw as moderate severity. With no EPSS score available, the exploit likelihood is unknown. The vulnerability is not listed in CISA’s KEV. Attackers can exploit the stored XSS by submitting malicious script via the plugin’s input interface, which is later rendered without sanitization for all visitor browsers. Successful exploitation could lead to user‑session compromise or defacement, but requires the attacker’s content to be accepted and stored by the plugin.

Generated by OpenCVE AI on May 20, 2026 at 14:38 UTC.

Remediation

Vendor Solution

Update the WordPress Visualizer Plugin to the latest available version (at least 4.0.0).

OpenCVE Recommended Actions

  • Upgrade the Visualizer plugin to version 4.0.0 or later
  • Identify and remove any stored content that may contain malicious scripts before the upgrade
  • Disable the plugin on any affected sites until the upgrade is completed to prevent further exploitation

Generated by OpenCVE AI on May 20, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Themeisle
Themeisle visualizer
Wordpress
Wordpress wordpress
Vendors & Products Themeisle
Themeisle visualizer
Wordpress
Wordpress wordpress

Wed, 20 May 2026 13:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeisle Visualizer allows Stored XSS. This issue affects Visualizer: from n/a before 4.0.0.
Title WordPress Visualizer plugin < 4.0.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Themeisle Visualizer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-20T13:48:33.272Z

Reserved: 2026-01-23T12:32:02.838Z

Link: CVE-2026-24573

cve-icon Vulnrichment

Updated: 2026-05-20T13:48:28.707Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T13:16:16.253

Modified: 2026-05-20T13:54:54.890

Link: CVE-2026-24573

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T14:45:32Z

Weaknesses