Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Contributor auth required (PR:L), victim must view page (UI:R), scope changes to victim browser (S:C); availability impact assessed as None since XSS does not disrupt service.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Contributor Cross Site Scripting (XSS) in SeedProd Pro < 6.19.5 versions.
AnalysisAI
Stored Cross-Site Scripting in SeedProd Pro WordPress plugin (versions below 6.19.5) allows an authenticated Contributor-level user to inject malicious JavaScript that executes in the context of other users' browsers, including administrators. The changed scope (S:C) in the CVSS vector confirms the impact crosses from the plugin's trust boundary into victims' browser sessions, enabling session hijacking, credential theft, or unauthorized administrative actions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress Contributor-level account (or higher) on the target site - this is PR:L per the CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 6.5 (Medium) score reflects a network-accessible, low-complexity attack that requires low privileges (Contributor) and user interaction (a victim must load the affected page). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a Contributor account on a SeedProd Pro-enabled WordPress site and injects a malicious JavaScript payload into a page element or field managed by the plugin. When an Administrator or Editor visits the affected page or preview, the script executes in their browser session, potentially exfiltrating authentication cookies or performing privileged actions such as creating a rogue admin account. … |
| Remediation | Upgrade SeedProd Pro to version 6.19.5 or later, which contains the vendor-released patch per Patchstack advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39740
GHSA-9499-25wc-w6pm