Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Patel WP Query Creator wp-query-creator allows Reflected XSS.This issue affects WP Query Creator: from n/a through <= 1.0.
Published: 2025-01-23
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw stems from improper neutralization of input during web page generation, allowing Reflected Cross‑Site Scripting. When the WP Query Creator plugin processes user‑supplied query parameters, it fails to encode or filter the data, so malicious scripts can be echoed back to the client. As a result, an attacker can make code execute in a victim’s browser when the victim follows a crafted link.

Affected Systems

Affected are sites that run the Patel WP Query Creator WordPress plugin, versions up to and including 1.0. WordPress installations that have the plugin installed and use it to handle query strings are vulnerable. No other vendors or products are mentioned.

Risk and Exploitability

The CVSS base score is 7.1, indicating a high‑severity risk that can be triggered remotely. EPSS is less than 1%, implying a low but non‑zero chance of exploitation. The vulnerability is not currently in the CISA KEV list. The likely attack vector is an attacker creating a link with malicious input; when a user clicks it, the script runs in the browser.

Generated by OpenCVE AI on May 2, 2026 at 05:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Patel WP Query Creator plugin to a version that has the XSS issue fixed, or remove it entirely if it is not required.
  • Apply proper input validation or encoding to any query parameters handled by the plugin, ensuring that user‑supplied data is sanitized before rendering.
  • Configure a web application firewall to detect and block requests containing script payloads, providing an additional layer of protection.

Generated by OpenCVE AI on May 2, 2026 at 05:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2682 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tarak Patel WP Query Creator allows Reflected XSS. This issue affects WP Query Creator: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tarak Patel WP Query Creator allows Reflected XSS. This issue affects WP Query Creator: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Patel WP Query Creator wp-query-creator allows Reflected XSS.This issue affects WP Query Creator: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 12 Feb 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Jan 2025 15:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tarak Patel WP Query Creator allows Reflected XSS. This issue affects WP Query Creator: from n/a through 1.0.
Title WordPress WP Query Creator plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:10:57.674Z

Reserved: 2025-01-02T12:02:05.151Z

Link: CVE-2025-22264

cve-icon Vulnrichment

Updated: 2025-02-12T20:34:40.377Z

cve-icon NVD

Status : Deferred

Published: 2025-01-23T16:15:37.257

Modified: 2026-06-17T08:46:00.227

Link: CVE-2025-22264

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T05:45:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')