Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Stored XSS requires low-privilege injection (PR:L) and victim page view (UI:R); scope changes to browser context (S:C); no direct availability impact applies.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tangible Loops & Logic tangible-loops-and-logic allows Stored XSS.This issue affects Loops & Logic: from n/a through <= 4.2.3.
AnalysisAI
Stored cross-site scripting in the Tangible Loops & Logic WordPress plugin (versions through 4.2.3) allows a low-privileged authenticated user to inject persistent malicious scripts into web pages that execute in the browsers of site visitors or administrators. The scope change (S:C in CVSS) confirms the payload escapes the injection context and executes in a victim's browser session, enabling session hijacking, credential theft, or malicious redirects. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid WordPress account with at minimum contributor or author-level privileges (PR:L per CVSS vector) on the target site - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 6.5 (Medium) with vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L accurately characterizes the real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a contributor-level WordPress account on a site running Loops & Logic 4.2.3 or earlier. They craft a post or template fragment containing a malicious script payload embedded in a plugin-processed field, submit it, and the payload is stored in the database. … |
| Remediation | Update the Loops & Logic plugin to the version released after 4.2.3 that addresses this XSS issue - consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/tangible-loops-and-logic/vulnerability/wordpress-loops-logic-plugin-4-2-3-cross-site-scripting-xss-vulnerability for the confirmed patched version, as an exact fix version is not independently confirmed from the available intelligence. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43464