What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Taylor VoucherPress voucherpress allows Stored XSS.This issue affects VoucherPress: from n/a through <= 1.5.7.
Explanation of Vulnerability in Simple Terms
02Summary
VoucherPress versions up to 1.5.7 contain a cross-site scripting (XSS) vulnerability that allows high-privilege users to inject malicious scripts. The vulnerability requires user interaction and affects the site's integrity and confidentiality. An administrator or high-privilege user can craft a malicious request that executes JavaScript in other users' browsers when they interact with the affected page.
What an attacker can do
03Attacker Capabilities
Inject and execute JavaScript code in other users' browsers to steal data or perform actions on their behalf.
Potential impact on your site
04Site Impact
High-privilege users can be tricked into executing malicious scripts that compromise site data or user accounts.
Conditions required to exploit
05Prerequisites
Attacker must have high-privilege account access and the victim must click a malicious link or visit a crafted page.
Key dates
06Disclosure timeline
September 22, 2025
CVE published
May 13, 2026
Record updated