Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RopeSwingHld SpeakOut! Email Petitions speakout allows DOM-Based XSS.This issue affects SpeakOut! Email Petitions: from n/a through <= 4.4.2.
Published: 2025-01-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The SpeakOut! Email Petitions WordPress plugin, when installed in versions 4.4.2 or earlier, contains a DOM‑Based Cross‑Site Scripting vulnerability that fails to neutralize user input during web page rendering. This weakness is classified as CWE‑79 and permits an attacker to inject malicious JavaScript that will execute client‑side when affected pages are viewed.

Affected Systems

WordPress websites that have the RopeSwingHld SpeakOut! Email Petitions plugin installed with a version number no greater than 4.4.2 are affected. The plugin is distributed under the name SpeakOut! Email Petitions.

Risk and Exploitability

The CVSS score of 6.5 denotes moderate severity, while the EPSS score of less than 1 % indicates a low probability of widespread exploitation at present. This client‑side vulnerability does not require remote code execution on the server and typically relies on a victim visiting a crafted URL or content that the plugin renders. The vulnerability is not currently listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 2, 2026 at 06:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SpeakOut! Email Petitions plugin to version 4.4.3 or later to remove the XSS flaw.
  • If an upgrade cannot be performed immediately, deactivate or delete the plugin from the production environment until a patched version is available.
  • Configure an adequate Content Security Policy to restrict script execution and mitigate the impact of any remaining XSS vectors.

Generated by OpenCVE AI on May 2, 2026 at 06:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2709 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steve D SpeakOut! Email Petitions allows DOM-Based XSS.This issue affects SpeakOut! Email Petitions: from n/a through 4.4.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steve D SpeakOut! Email Petitions allows DOM-Based XSS.This issue affects SpeakOut! Email Petitions: from n/a through 4.4.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RopeSwingHld SpeakOut! Email Petitions speakout allows DOM-Based XSS.This issue affects SpeakOut! Email Petitions: from n/a through <= 4.4.2.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 07 Jan 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steve D SpeakOut! Email Petitions allows DOM-Based XSS.This issue affects SpeakOut! Email Petitions: from n/a through 4.4.2.
Title WordPress SpeakOut! Email Petitions plugin <= 4.4.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:10:58.986Z

Reserved: 2025-01-03T13:16:10.260Z

Link: CVE-2025-22309

cve-icon Vulnrichment

Updated: 2025-01-07T14:54:00.608Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T11:15:15.190

Modified: 2026-06-17T08:46:21.467

Link: CVE-2025-22309

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T07:00:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')