- Description
- The WP Import Export Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpiePreviewData’ function in all versions up to, and including, 3.9.27 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Source
- security@wordfence.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Primary
- Base score
- 6.4
- Impact score
- 2.7
- Exploitability score
- 3.1
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Severity
- MEDIUM
- security@wordfence.com
- CWE-79
- Hype score
- Not currently trending
New post from https://t.co/uXvPWJy6tj (CVE-2025-2839 | VJInfotech WP Import Export Lite Plugin up to 3.9.27 on WordPress cross site scripting) has been published on https://t.co/ue6g2CBHSw
@WolfgangSesin
22 Apr 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-2839 The WP Import Export Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpiePreviewData’ function in all versions up to, and including, 3.9… https://t.co/50gjcHI7VX
@CVEnew
22 Apr 2025
177 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes