Description
The Hubbub Lite – Fast, free social sharing and follow buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'dpsp_list_attention_search' parameter in all versions up to, and including, 1.36.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-11-06
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting (client‑side code execution)
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in the Hubbub Lite WordPress plugin allows an attacker to inject arbitrary scripts via the 'dpsp_list_attention_search' parameter. Because the input is not properly sanitized or escaped, any user who follows a crafted link can have malicious JavaScript executed in their browser. This can enable a range of client‑side attacks such as session hijacking, credential theft, or deceptive content injection. The weakness is classified as CWE‑79, a classic reflected XSS flaw.

Affected Systems

The flaw affects all installations of the Hubbub Lite – Fast, free social sharing and follow buttons plugin from the nerdpressteam developer, for every release through version 1.36.0 inclusive. WordPress sites that have not upgraded beyond that version are potentially exposed.

Risk and Exploitability

The CVSS base score of 6.1 marks this as a moderate‑severity issue. The EPSS score of less than 1% indicates a low probability of widespread exploitation at this time, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers would need only to lure a site visitor to a crafted URL containing the malicious parameter; no authentication or privileged access is required. While the attack surface is limited to user‑initiated actions, the impact on affected users can be significant due to client‑side code execution.

Generated by OpenCVE AI on April 21, 2026 at 01:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Hubbub Lite plugin to the latest version (greater than 1.36.0) which removes the vulnerable parameter handling.
  • If an upgrade is not immediately possible, disable or remove the 'dpsp_list_attention_search' functionality by editing the plugin files or leveraging WordPress settings to prevent this parameter from being processed.
  • Apply custom sanitization to the 'dpsp_list_attention_search' input by ensuring all output is properly escaped, or use a security plugin to block XSS vectors until the official fix is applied.

Generated by OpenCVE AI on April 21, 2026 at 01:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 06 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Hubbub Lite – Fast, free social sharing and follow buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'dpsp_list_attention_search' parameter in all versions up to, and including, 1.36.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title Hubbub Lite <= 1.36.0 - Reflected Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:35:10.617Z

Reserved: 2025-10-29T15:41:23.338Z

Link: CVE-2025-12471

cve-icon Vulnrichment

Updated: 2025-11-06T15:27:58.867Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T07:15:43.510

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12471

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:00:12Z

Weaknesses