Skip to main content

CVE-2025-62095

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-31 audit@patchstack.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
6.5 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 14:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in neilgee Bootstrap Modals bootstrap-modals allows Stored XSS.This issue affects Bootstrap Modals: from n/a through <= 1.3.2.

AnalysisAI

Stored cross-site scripting (XSS) vulnerability in Bootstrap Modals WordPress plugin versions up to 1.3.2 allows authenticated attackers to inject and execute arbitrary JavaScript code that persists in the database and executes for all site visitors. The vulnerability stems from improper input neutralization during web page generation, enabling attackers with plugin-relevant permissions to compromise user sessions and steal sensitive data from administrators and site visitors.

Technical ContextAI

The vulnerability is a classic stored XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in the Bootstrap Modals WordPress plugin, which provides modal dialog functionality. The root cause is the failure to properly sanitize and escape user-supplied input before storing it in the database and rendering it on web pages. When the plugin generates HTML for modal elements, it does not adequately neutralize malicious scripts embedded in input fields, allowing attackers to inject payloads that execute in the context of the vulnerable application. WordPress plugins typically process user input through forms or settings panels; if these inputs are stored without sanitization and later output without escaping, stored XSS occurs. The CPE for the affected software is identified as the Bootstrap Modals plugin for WordPress (wordpress-plugin-bootstrap-modals) affecting versions through 1.3.2.

Affected ProductsAI

Bootstrap Modals WordPress plugin from version n/a through version 1.3.2 inclusive is affected. The plugin, identified by CPE wordpress-plugin-bootstrap-modals, is used to add modal dialog functionality to WordPress sites. The vulnerability impacts all installations running version 1.3.2 or earlier.

RemediationAI

Site administrators must update Bootstrap Modals to a patched version greater than 1.3.2 as soon as possible. Check the WordPress plugin repository or the vendor's official advisory at https://patchstack.com/database/Wordpress/Plugin/bootstrap-modals/vulnerability/wordpress-bootstrap-modals-plugin-1-3-2-cross-site-scripting-xss-vulnerability for the latest available version. If a patched version is not yet available, consider temporarily disabling the plugin until an update is released. Site owners should audit any modal content created or modified by users with plugin administrative access for signs of malicious scripts and consider resetting stored modal data if compromise is suspected.

Share

CVE-2025-62095 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy