Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nexcess WPComplete wpcomplete allows Stored XSS.This issue affects WPComplete: from n/a through <= 2.9.5.4.
AnalysisAI
Stored Cross-Site Scripting in the WPComplete WordPress plugin (all versions through 2.9.5.4) allows authenticated low-privileged users to inject persistent malicious scripts that execute in other users' browsers upon viewing affected content. The CVSS changed scope (S:C) is the critical risk factor: a contributor- or author-level account can craft payloads that execute in the session of higher-privileged users, including administrators, enabling session hijacking or unauthorized admin actions. No public exploit identified at time of analysis, and an EPSS score of 0.03% (10th percentile) reflects low broad exploitation probability, though the admin-targeting potential elevates real-world concern for multi-user WordPress deployments.
Technical ContextAI
WPComplete is a WordPress plugin developed by Nexcess that adds course and content completion tracking functionality to WordPress sites. CWE-79 (Improper Neutralization of Input During Web Page Generation) in its stored variant means user-supplied input is persisted server-side without adequate sanitization or output encoding, then rendered as executable HTML/JavaScript to subsequent page visitors. The CVSS vector AV:N/AC:L/PR:L/UI:R/S:C reflects that the attack is delivered over the network with low complexity, requires a low-privileged authenticated session to inject the payload, and requires a separate victim's browser interaction to trigger execution - at which point the scope changes (S:C), crossing the plugin's security boundary into the victim's browser context. No CPE string was provided in the available intelligence; affected versions are documented as WPComplete 0 through 2.9.5.4 inclusive per EUVD-2026-32199.
RemediationAI
No specific patched version number was confirmed in the available intelligence data; the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wpcomplete/vulnerability/wordpress-wpcomplete-plugin-2-9-5-4-cross-site-scripting-xss-vulnerability?_s_id=cve should be consulted immediately to identify whether a fixed release above 2.9.5.4 is available in the WordPress plugin repository and to apply it. As an interim compensating control, restrict WordPress contributor and author roles exclusively to fully trusted internal users, since the attack requires PR:L authentication - removing untrusted or external accounts from these roles eliminates the injection vector entirely. If the plugin exposes specific input fields that accept free-form HTML or JavaScript, those fields should be identified and disabled or restricted via plugin settings if configurable. WordPress administrators should also consider deploying a Web Application Firewall rule (e.g., via Wordfence or Cloudflare) targeting stored XSS patterns in WPComplete-specific POST endpoints as a non-blocking defense layer; note this adds maintenance overhead and may produce false positives on legitimate rich-text content.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32199
GHSA-388h-jxj2-x3jp