Description
The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-02-11
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The iONE360 configurator plugin for WordPress suffers from insufficient input sanitization and output escaping in its contact form, allowing unauthenticated attackers to embed arbitrary JavaScript that is stored and later served to users. This stored cross‑site scripting flaw can lead to session hijacking, credential theft, or defacement of pages viewed by unsuspecting visitors. The weakness is classified as CWE‑79.

Affected Systems

All installations of the iONE360 configurator plugin for WordPress with a version of 2.0.57 or earlier are affected. The flaw exists across all releases up to and including 2.0.57.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw by submitting malicious input via the public contact form without any authentication, resulting in scripts being executed for any user who visits the affected page.

Generated by OpenCVE AI on April 22, 2026 at 15:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the iONE360 configurator plugin to version 2.0.58 or later, where the stored XSS issue has been fixed.
  • If upgrading is not immediately possible, disable or remove the contact form feature, or restrict its use to authenticated users only.
  • Implement proper input sanitization and output escaping on the contact form fields, and review other plugins for similar weaknesses.

Generated by OpenCVE AI on April 22, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Ione360
Ione360 ione360 Configurator
Wordpress
Wordpress wordpress
Vendors & Products Ione360
Ione360 ione360 Configurator
Wordpress
Wordpress wordpress

Wed, 11 Feb 2026 08:30:00 +0000

Type Values Removed Values Added
Description The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title iONE360 configurator <= 2.0.57 - Unauthenticated Stored Cross-Site Scripting via Contact Form Parameters
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Ione360 Ione360 Configurator
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:32:47.068Z

Reserved: 2026-01-02T15:28:09.514Z

Link: CVE-2025-15440

cve-icon Vulnrichment

Updated: 2026-02-11T15:41:20.989Z

cve-icon NVD

Status : Deferred

Published: 2026-02-11T09:15:50.457

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-15440

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:30:20Z

Weaknesses