Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PublishPress Post Expirator post-expirator allows DOM-Based XSS.This issue affects Post Expirator: from n/a through <= 4.9.4.
AnalysisAI
DOM-based cross-site scripting (XSS) in PublishPress Post Expirator WordPress plugin versions 4.9.4 and earlier allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of higher-privileged administrators viewing affected pages, potentially leading to unauthorized actions or credential theft. The vulnerability requires user interaction (administrator viewing the malicious content) and is confined to the application context, making it a medium-severity risk despite the high CVSS score-EPSS scoring of 0.03% percentile indicates low real-world exploitation probability.
Technical ContextAI
PublishPress Post Expirator is a WordPress plugin (CPE: cpe:2.3:a:publishpress:post_expirator:*:*:*:*:*:*:*:*) that manages the expiration and automated handling of published posts. The vulnerability stems from improper sanitization and neutralization of user-supplied input during dynamic DOM manipulation (CWE-79: Improper Neutralization of Input During Web Page Generation). Rather than server-side reflected or stored XSS, this is DOM-based XSS, meaning the malicious payload is processed client-side in the browser's Document Object Model without being fully sanitized by the plugin's JavaScript code. The flaw likely exists in plugin-specific admin interface code that renders user data into the DOM without adequate escaping or Content Security Policy protections.
RemediationAI
Upgrade PublishPress Post Expirator to a patched version released after 4.9.4 as available from the official WordPress plugin repository or PublishPress website. No specific patched version number is independently confirmed in the provided advisory data, so administrators should consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/post-expirator/vulnerability/wordpress-post-expirator-plugin-4-9-4-cross-site-scripting-xss-vulnerability?_s_id=cve) or the plugin's official changelog for the recommended upgrade path. As an interim measure, restrict admin user access to only trusted personnel and limit plugin usage to sites where user-supplied content in Post Expirator fields is carefully reviewed before being displayed to administrators. Implementing a Web Application Firewall (WAF) with XSS detection rules may provide additional protection while patches are being deployed.
More in Post Expirator
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20148