Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Network-delivered stored XSS requires low-privilege account (PR:L) and active victim browsing (UI:R); S:C for cross-context script execution; A:N as XSS does not directly cause availability loss.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Netrr Author Box WP Lens author-box-for-divi allows Stored XSS.This issue affects Author Box WP Lens: from n/a through <= 2.1.5.
AnalysisAI
Stored cross-site scripting in the Author Box WP Lens WordPress plugin (versions through 2.1.5) enables authenticated low-privilege users to persist malicious JavaScript payloads that execute in the browsers of any user who views an affected page, including administrators. The CVSS scope change (S:C) reflects that the injected script runs in a different security context than where it was stored, meaning a contributor-level attacker can target higher-privileged victims browsing the same site. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress user account with at minimum low-privilege access sufficient to write to author box fields managed by the plugin (PR:L per CVSS vector - typically Author or Contributor role). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.5 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) vector signals a realistic but constrained threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a low-privilege WordPress account (Author or Contributor role) and edits their author profile or an author box widget field to include a JavaScript payload such as a cookie-stealing script. When a WordPress administrator later browses to any post page rendering that author box, the payload executes in the admin's browser session, exfiltrating their session cookie to an attacker-controlled server and enabling full administrative account takeover. … |
| Remediation | Update the Author Box WP Lens plugin to a version above 2.1.5 if Netrr has released a patched build; consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/author-box-for-divi/vulnerability/wordpress-author-box-wp-lens-plugin-2-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve for confirmation of the exact fixed version, as the current intelligence does not independently confirm a specific patched release number. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43347