Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Daniel Iser Easy Modal easy-modal allows Stored XSS.This issue affects Easy Modal: from n/a through <= 2.1.0.
Published: 2026-01-23
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that enables client‑side code execution
Action: Immediate Patch
AI Analysis

Impact

An improper neutralization of input in Daniel Iser’s Easy Modal plugin allows an attacker to store malicious code in site content that is later rendered to visitors, resulting in a stored Cross‑Site Scripting (XSS) condition. Overwritten or injected scripts may run in the context of the victim’s browser, potentially capturing credentials, session cookies, or further compromising the site. The weakness represents a client‑side exploitation that affects integrity, confidentiality and availability for any user who views the compromised page.

Affected Systems

WordPress websites that use Easy Modal plugin version 2.1.0 or older. Any instance where the plugin is installed and the default settings allow content entry via the WordPress editor or plugin settings would be vulnerable. The issue is limited to the Easy Modal plugin and does not affect other WordPress components unless the same attack vector is present elsewhere.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Although the attack surface is restricted to users who have the capability to input plugin data, affected administrators or trusted commenters could exploit the flaw. Successful exploitation would allow arbitrary script execution in the context of site visitors, potentially leading to data theft or defacement.

Generated by OpenCVE AI on April 16, 2026 at 07:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Easy Modal to the latest available version that contains the XSS fix
  • Disable or limit the ability for users to add arbitrary content via the plugin, ensuring only trusted users can edit or insert scripts
  • Implement site‑wide input sanitization or a web‑application firewall rule to block malicious script payloads before rendering

Generated by OpenCVE AI on April 16, 2026 at 07:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 23 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Daniel Iser Easy Modal easy-modal allows Stored XSS.This issue affects Easy Modal: from n/a through <= 2.1.0.
Title WordPress Easy Modal plugin <= 2.1.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:50.395Z

Reserved: 2026-01-23T12:32:24.372Z

Link: CVE-2026-24617

cve-icon Vulnrichment

Updated: 2026-01-23T17:49:40.219Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T15:16:20.727

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24617

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:30:28Z

Weaknesses