Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themebon Ultimate Image Hover Effects ultimate-image-hover-effects allows DOM-Based XSS.This issue affects Ultimate Image Hover Effects: from n/a through <= 1.1.2.
Published: 2025-01-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a DOM‑based XSS flaw caused by insufficient sanitization of input in the Ultimate Image Hover Effects plugin. The flaw allows the attacker to inject arbitrary JavaScript that will execute in the browser of any user who loads the affected page, potentially compromising the authenticity and integrity of the site.

Affected Systems

The issue exists in the WordPress plugin themebon Ultimate Image Hover Effects any installation using version 1.1.2 or earlier. The plugin is widely used across WordPress sites; no specific WordPress version or operating system constraints are mentioned.

Risk and Exploitability

With a CVSS score of 6.5 the vulnerability is moderate severity. The EPSS value of less than 1% indicates a very low probability of exploitation and the flaw is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector would involve a crafted input that the plugin echoes back into the page, triggering the DOM‑based XSS. This attack is only effective when a user’s browser loads the affected page, so the surface is limited to visitors of the site.

Generated by OpenCVE AI on May 2, 2026 at 06:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ultimate Image Hover Effects plugin to the latest version that contains the XSS fix
  • If an update is not immediately available, disable the plugin or restrict its usage to trusted administrators
  • Sanitize or escape any user input fields that the plugin renders in the page to prevent injection of arbitrary code

Generated by OpenCVE AI on May 2, 2026 at 06:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2860 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themebon Ultimate Image Hover Effects allows DOM-Based XSS.This issue affects Ultimate Image Hover Effects: from n/a through 1.1.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themebon Ultimate Image Hover Effects allows DOM-Based XSS.This issue affects Ultimate Image Hover Effects: from n/a through 1.1.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themebon Ultimate Image Hover Effects ultimate-image-hover-effects allows DOM-Based XSS.This issue affects Ultimate Image Hover Effects: from n/a through <= 1.1.2.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 07 Jan 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themebon Ultimate Image Hover Effects allows DOM-Based XSS.This issue affects Ultimate Image Hover Effects: from n/a through 1.1.2.
Title WordPress Ultimate Image Hover Effects plugin <= 1.1.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:01.997Z

Reserved: 2025-01-07T10:23:42.744Z

Link: CVE-2025-22585

cve-icon Vulnrichment

Updated: 2025-01-07T16:43:35.879Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T16:15:54.923

Modified: 2026-06-17T08:48:28.627

Link: CVE-2025-22585

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T07:00:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')