Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Yamna Khawaja KNR Author List Widget knr-author-list-widget allows Reflected XSS.This issue affects KNR Author List Widget: from n/a through <= 3.1.1.
Published: 2025-01-13
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation has been identified in the KNR Author List Widget plugin. The flaw allows an attacker to embed malicious scripts into the HTML output by manipulating query parameters or form inputs, resulting in reflected XSS. This can enable session hijacking, cookie theft, defacement, or redirection of site visitors and administrators, thereby compromising both confidentiality and integrity of the site.

Affected Systems

The WordPress plugin "KNR Author List Widget" created by Yamna Khawaja is affected. All installations running version 3.1.1 or older are impacted. The vulnerability affects typical WordPress deployments that include the widget on any page or post.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, while the EPSS score of fewer than 1% suggests a very low current exploitation probability. The plugin is not listed in the CISA KEV catalog. Attackers likely need to entice a user or an administrator to visit a crafted URL containing malicious payloads, a common reflected XSS attack scenario. If exploited, the attacker could gain temporary client‑side access, exfiltrate sensitive data or maintain a foothold for further attacks.

Generated by OpenCVE AI on May 1, 2026 at 21:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the KNR Author List Widget plugin to the latest version (any release newer than 3.1.1) or apply the vendor‑supplied patch that removes the vulnerable input handling.
  • If the plugin cannot be updated immediately, disable or remove the widget from all pages to eliminate the attack surface until a fix is available.
  • Conduct a site‑wide review of user‑supplied content rendering, enforce proper escaping for all output contexts, and deploy a strong Content Security Policy to mitigate remaining XSS risks.

Generated by OpenCVE AI on May 1, 2026 at 21:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2794 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Yamna Tatheer KNR Author List Widget allows Reflected XSS.This issue affects KNR Author List Widget: from n/a through 3.1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Yamna Tatheer KNR Author List Widget allows Reflected XSS.This issue affects KNR Author List Widget: from n/a through 3.1.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Yamna Khawaja KNR Author List Widget knr-author-list-widget allows Reflected XSS.This issue affects KNR Author List Widget: from n/a through <= 3.1.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 13 Jan 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Jan 2025 13:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Yamna Tatheer KNR Author List Widget allows Reflected XSS.This issue affects KNR Author List Widget: from n/a through 3.1.1.
Title WordPress Axact Author List Widget Plugin <= 3.1.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:00.584Z

Reserved: 2025-01-07T10:22:41.466Z

Link: CVE-2025-22514

cve-icon Vulnrichment

Updated: 2025-01-13T13:48:13.954Z

cve-icon NVD

Status : Deferred

Published: 2025-01-13T14:15:11.290

Modified: 2026-06-17T08:47:54.583

Link: CVE-2025-22514

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:00:14Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')