Description
WordPress adivaha Travel Plugin 2.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the isMobile parameter. Attackers can craft malicious URLs containing JavaScript payloads in the isMobile GET parameter at the /mobile-app/v3/ endpoint to execute arbitrary code in victims' browsers and steal session tokens or credentials.
Published: 2026-04-09
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

A reflected cross‑site scripting flaw exists in the WordPress adivaha Travel Plugin. By altering the isMobile GET parameter on the /mobile-app/v3/ endpoint, an attacker can inject arbitrary JavaScript that executes in victims’ browsers. This can lead to client‑side compromise, including session hijacking and credential theft, and is classified as CWE‑79.

Affected Systems

The vulnerability affects WordPress sites that have version 2.3 of the adivaha Travel Plugin installed. Any site where this plugin is publicly reachable and accepts the isMobile parameter in URLs is impacted.

Risk and Exploitability

The severity score assigned to the flaw is 5.1, indicating moderate risk. Threat likelihood metrics are not available, and the issue is not listed in known exploit catalogs. The flaw can be exploited with a simple unauthenticated HTTP request to a crafted URL targeting the /mobile-app/v3/ endpoint, making it accessible to anyone who can visit the affected site.

Generated by OpenCVE AI on April 9, 2026 at 23:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the adivaha Travel Plugin to a version that addresses the vulnerability or apply the vendor’s patch
  • If an update is not immediately available, remove or disable the isMobile parameter from URLs that are not required for normal operation
  • Implement input validation or sanitization on the isMobile parameter to strip or escape script content
  • Configure a web application firewall to detect and block requests containing suspicious JavaScript payloads in the isMobile parameter
  • Regularly review site activity logs for repeated attempts to inject script code

Generated by OpenCVE AI on April 9, 2026 at 23:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Adivaha
Adivaha wordpress Adivaha Travel Plugin
Wordpress
Wordpress wordpress
Vendors & Products Adivaha
Adivaha wordpress Adivaha Travel Plugin
Wordpress
Wordpress wordpress

Thu, 09 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description WordPress adivaha Travel Plugin 2.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the isMobile parameter. Attackers can craft malicious URLs containing JavaScript payloads in the isMobile GET parameter at the /mobile-app/v3/ endpoint to execute arbitrary code in victims' browsers and steal session tokens or credentials.
Title WordPress adivaha Travel Plugin 2.3 Reflected XSS via isMobile
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Adivaha Wordpress Adivaha Travel Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-24T01:37:39.062Z

Reserved: 2026-04-09T20:41:29.868Z

Link: CVE-2023-54358

cve-icon Vulnrichment

Updated: 2026-04-10T18:10:12.222Z

cve-icon NVD

Status : Deferred

Published: 2026-04-09T21:16:04.960

Modified: 2026-04-15T15:00:32.790

Link: CVE-2023-54358

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:29:16Z

Weaknesses