Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vladimir Statsenko Terms descriptions terms-descriptions allows DOM-Based XSS.This issue affects Terms descriptions: from n/a through <= 3.4.9.
Published: 2026-01-23
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross Site Scripting (DOM‑based XSS)
Action: Update Plugin
AI Analysis

Impact

The Terms descriptions plugin for WordPress contains an improper neutralization of user input during web page generation, allowing attackers to inject malicious JavaScript via the plugin’s description field. This DOM‑based XSS flaw can lead to the execution of arbitrary client‑side scripts in the context of the site’s visitors, potentially compromising user sessions, defacing pages, or redirecting users to malicious sites. The weakness is classified as CWE‑79.

Affected Systems

This vulnerability affects installations of the Vladimir Statsenko Terms descriptions plugin for WordPress with any version up to and including 3.4.9. All WordPress sites that have deployed this plugin within the affected version range are at risk.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity and the EPSS score of less than 1 % suggests a very low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Likely attack vectors include a crafted link or a manipulated description field that, when rendered by a visitor’s browser, will execute the injected script. Because the vulnerability is client‑side and does not require authentication, any user who visits a page that includes an affected description can be impacted.

Generated by OpenCVE AI on April 28, 2026 at 17:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Terms descriptions plugin to a version newer than 3.4.9, if available.
  • If a newer version is not available, disable or completely remove the plugin from the WordPress installation to eliminate the vulnerability.
  • Implement a Content Security Policy that disallows inline scripts to mitigate the impact of any remaining XSS risk.

Generated by OpenCVE AI on April 28, 2026 at 17:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 23 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vladimir Statsenko Terms descriptions terms-descriptions allows DOM-Based XSS.This issue affects Terms descriptions: from n/a through <= 3.4.9.
Title WordPress Terms descriptions plugin <= 3.4.9 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:50.383Z

Reserved: 2026-01-23T12:32:28.686Z

Link: CVE-2026-24621

cve-icon Vulnrichment

Updated: 2026-01-23T16:06:25.840Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T15:16:21.207

Modified: 2026-04-28T15:16:20.243

Link: CVE-2026-24621

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T18:00:14Z

Weaknesses