Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Stored XSS is network-reachable and low-complexity with a browser-context scope change and Low C/I/A; PR:L reflects that most Patchstack stored-XSS injection points require at least low-privileged access, though the input's PR:N is possible if truly unauthenticated.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Proxy & VPN Blocker Proxy & VPN Blocker proxy-vpn-blocker allows Stored XSS.This issue affects Proxy & VPN Blocker: from n/a through <= 3.5.8.
AnalysisAI
Stored cross-site scripting in the WordPress plugin 'Proxy & VPN Blocker' (versions up to and including 3.5.8) lets attackers persist malicious JavaScript that executes in victims' browsers when an affected page is rendered. Reported by Patchstack and carrying a CVSS 3.1 score of 7.1 with a scope change, the flaw affects all releases from an unspecified initial version through 3.5.8. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that attacker-controlled data be stored via the Proxy & VPN Blocker plugin and then rendered to a victim, and it requires user interaction (UI:R) - a user or administrator must load the page containing the stored payload for the script to execute. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, score 7.1) indicates network-reachable, low-complexity exploitation with a scope change but requiring user interaction, and only Low confidentiality/integrity/availability impact - consistent with typical stored XSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits crafted input containing JavaScript to a field handled by the Proxy & VPN Blocker plugin; the payload is stored and later served unsanitized. When an administrator or other user opens the affected page, the script runs in their browser session in the site's origin, enabling session/cookie theft, admin-action forgery, or content injection. … |
| Remediation | No vendor-released patch version is identified in the available data (the record states affected 'through <= 3.5.8' without naming a fixed release), so verify the current version at https://patchstack.com/database/Wordpress/Plugin/proxy-vpn-blocker/vulnerability/wordpress-proxy-vpn-blocker-plugin-3-5-8-cross-site-scripting-xss-vulnerability and upgrade to any release later than 3.5.8 once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Immediately disable the 'Proxy & VPN Blocker' plugin across all WordPress instances and audit your environment for installations running versions 3.5.8 and earlier. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43470