Description
The VR-Frases (collect & share quotes) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via several parameters in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. CVE-2025-22636 appears to be a duplicate of this issue.
Published: 2025-01-30
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑side Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

The VR‑Frases plugin for WordPress is vulnerable to reflected Cross‑Site Scripting through multiple request parameters across all versions up to and including 3.0.1. Insufficient input sanitization and output escaping allow an attacker to embed arbitrary scripts in responses that execute when a victim clicks a crafted link. This vulnerability is a classic CWE‑79 exploit and grants attackers the ability to hijack user sessions, deface sites, or deliver phishing content, exposing confidential data and user credentials to the attacker.

Affected Systems

The vulnerability affects the VR‑Frases WordPress plugin, developed by vruizg, with all releases numbered 3.0.1 or earlier. Sites that have installed any of these affected versions and have the plugin activated are at risk; newer releases beyond 3.0.1 are not listed as vulnerable.

Risk and Exploitability

The CVSS score of 6.1 denotes medium severity, while the EPSS score of <1% indicates a low probability of exploitation in the wild, and the flaw is not currently listed in the CISA KEV catalog. Nonetheless, the attack vector is straightforward: an unauthenticated attacker can embed malicious scripts in a URL that, when a visitor clicks it, triggers script execution in the visitor’s browser. Given the ubiquitous use of WordPress and the plugin’s functionality, this flaw can be leveraged for social‑engineering campaigns or automated attacks targeting site visitors.

Generated by OpenCVE AI on April 21, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update VR‑Frases to the latest version (>=3.0.2) where the reflected XSS vectors are sanitized and output is properly escaped.
  • If an update is unavailable, restrict HTTP request parameters through a web application firewall or plugin that blocks known XSS payloads and enforce strict input validation on the backend.
  • Add a Content Security Policy that disallows inline scripts and only permits scripts from trusted hosts, reducing the impact of any remaining reflected XSS attempts.

Generated by OpenCVE AI on April 21, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1900 The VR-Frases (collect & share quotes) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via several parameters in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The VR-Frases (collect & share quotes) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via several parameters in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The VR-Frases (collect & share quotes) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via several parameters in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. CVE-2025-22636 appears to be a duplicate of this issue.
References

Fri, 31 Jan 2025 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Vruiz
Vruiz vr-frases
CPEs cpe:2.3:a:vruiz:vr-frases:*:*:*:*:*:*:*:*
Vendors & Products Vruiz
Vruiz vr-frases

Thu, 30 Jan 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Jan 2025 09:30:00 +0000

Type Values Removed Values Added
Description The VR-Frases (collect & share quotes) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via several parameters in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title VR-Frases (collect & share quotes) <= 3.0.1 - Reflected Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Vruiz Vr-frases
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:33:26.063Z

Reserved: 2025-01-29T21:16:39.396Z

Link: CVE-2025-0860

cve-icon Vulnrichment

Updated: 2025-01-30T15:00:54.544Z

cve-icon NVD

Status : Modified

Published: 2025-01-30T10:15:08.723

Modified: 2026-04-08T19:22:48.513

Link: CVE-2025-0860

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:30:06Z

Weaknesses