Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeisle Visualizer allows Stored XSS.
This issue affects Visualizer: from n/a before 4.0.0.
AnalysisAI
Stored XSS in the Themeisle Visualizer WordPress plugin (all versions before 4.0.0) allows an authenticated low-privileged user to inject persistent malicious scripts into chart or visualization content. When a victim user subsequently views the affected page, the injected script executes in their browser within a changed scope (S:C), meaning impact extends beyond the attacker's own session to other users. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the low attack complexity and network-accessible vector make this straightforward to abuse on sites with open or loosely controlled contributor registration.
Technical ContextAI
The Visualizer plugin by Themeisle is a WordPress data charting and visualization tool. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates that user-supplied input - likely chart titles, labels, data fields, or configuration values - is not properly sanitized or escaped before being rendered into the HTML page. The CPE string cpe:2.3:a:themeisle:visualizer:*:*:*:*:*:*:*:* confirms all versions of this plugin across all platforms are affected until the 4.0.0 boundary. The CVSS vector component S:C (Scope Changed) is significant: it indicates the injected payload executes in the browser context of other authenticated users, not merely the attacker's own session, enabling session theft, credential harvesting, or unauthorized administrative actions against higher-privileged users who view the poisoned content.
RemediationAI
Update the Themeisle Visualizer WordPress plugin to version 4.0.0 or later, which is the vendor-confirmed patched release per the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/visualizer/vulnerability/wordpress-visualizer-plugin-4-0-0-cross-site-scripting-xss-vulnerability. If an immediate update is not feasible, restrict the ability to create or edit Visualizer charts to only the most trusted, highly privileged accounts (e.g., administrators only), reducing the pool of users who can inject stored payloads - note this may disrupt editorial workflows on multi-author sites. Additionally, deploying a web application firewall (WAF) with XSS filtering rules can provide a secondary layer of detection, though WAF bypass is possible and should not substitute for patching. Audit existing Visualizer content for suspicious script tags or encoded payloads if untrusted contributors have had access.
More in Visualizer
View allA blind SSRF vulnerability exists in the Visualizer plugin before 3.3.1 for WordPress via wp-json/visualizer/v1/upload-d
A stored XSS vulnerability in the Visualizer plugin 3.3.0 for WordPress allows an unauthenticated attacker to execute ar
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to deserialization of untrust
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeisle Visualiz
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeisle Visualiz
Auth. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor pat
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31099
GHSA-vx3g-ch3r-7568