CVE-2025-66081
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeff Starr Head Meta Data head-meta-data allows Stored XSS.This issue affects Head Meta Data: from n/a through <= 20250327.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in WordPress Head Meta Data plugin allows attackers to inject malicious scripts, posing risk to websites.
Vulnerability
The Head Meta Data plugin for WordPress suffers from a stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation. The issue affects versions through 20250327 and is classified as CVE-2025-66081 with a CVSS score of 5.9 (Medium) [1].
Exploitation
To exploit this vulnerability, an attacker must have a privileged role (such as contributor or higher) and craft a payload that, when stored, will execute in the context of other users' browsers. Successful exploitation requires user interaction, such as clicking a crafted link or visiting a manipulated page [1].
Impact
If exploited, the attacker can inject malicious scripts—including redirects, advertisements, or other HTML payloads—that execute when visitors access the affected page. This can lead to data theft, defacement, or further compromise of the site and its visitors [1].
Mitigation
The vulnerability is addressed in version 20251118 of the plugin. Users are strongly advised to update immediately. For those unable to update, enabling auto-updates via Patchstack or contacting their hosting provider is recommended [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=20250327
- Range: <= 20250327
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.