Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Stored XSS requires low-privilege write access (PR:L) and victim page visit (UI:R); scope changes to victim browser (S:C); availability impact removed as XSS does not cause measurable service disruption.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in merkulove Speaker speaker allows Stored XSS.This issue affects Speaker: from n/a through <= 4.1.13.
AnalysisAI
Stored Cross-Site Scripting (XSS) in the merkulove Speaker WordPress plugin (versions through 4.1.13) allows an authenticated low-privilege user to inject and persistently store malicious scripts that execute in other users' browsers upon page visitation. The scope change in the CVSS vector (S:C) confirms that successful exploitation crosses the security boundary from the plugin's context into visiting users' browser sessions, enabling session hijacking, credential theft, or unauthorized administrative actions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session with at least low-privilege access (PR:L per CVSS) on the target WordPress installation - the attacker must be able to create or edit content or settings that interact with the Speaker plugin's input fields. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 6.5 (Medium) with vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L reflects a meaningful but bounded risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privilege WordPress account (e.g., a contributor or author role) navigates to the Speaker plugin's configuration interface or a post editor where Speaker shortcode attributes are accepted, and injects a JavaScript payload such as a cookie-stealing script into an unsanitized field. The payload is saved to the database. … |
| Remediation | The primary remediation is to update the merkulove Speaker plugin to a version released after 4.1.13; however, the intelligence data does not specify an exact patched release version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43401