Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dstoever WPEX Replace DB Urls wpex-replace allows Reflected XSS.This issue affects WPEX Replace DB Urls: from n/a through <= 0.4.0.
Published: 2025-01-13
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an improper neutralization of input during web page generation that permits reflected cross‑site scripting. An attacker can supply crafted input that is reflected in a page without adequate escaping, allowing malicious code to execute in the browser of any user who views the affected page.

Affected Systems

The WPEX Replace DB Urls WordPress plugin developed by dstoever is affected for all releases from the earliest version through 0.4.0. Sites running these plugin versions on any WordPress installation are vulnerable.

Risk and Exploitability

The CVSS score of 7.1 classifies the vulnerability as high severity. The EPSS score of less than 1 % indicates a low overall exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via the web interface, as the flaw is triggered by user‑supplied input that is rendered without proper escaping.

Generated by OpenCVE AI on May 2, 2026 at 06:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WPEX Replace DB Urls plugin to a version newer than 0.4.0
  • If an immediate upgrade is not possible, disable the plugin or remove the vulnerable functionality from the site
  • Run an updated security scan to confirm that reflected XSS vectors are no longer present

Generated by OpenCVE AI on May 2, 2026 at 06:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2861 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Detlef Stöver WPEX Replace DB Urls allows Reflected XSS.This issue affects WPEX Replace DB Urls: from n/a through 0.4.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Detlef Stöver WPEX Replace DB Urls allows Reflected XSS.This issue affects WPEX Replace DB Urls: from n/a through 0.4.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dstoever WPEX Replace DB Urls wpex-replace allows Reflected XSS.This issue affects WPEX Replace DB Urls: from n/a through <= 0.4.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 13 Jan 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Jan 2025 13:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Detlef Stöver WPEX Replace DB Urls allows Reflected XSS.This issue affects WPEX Replace DB Urls: from n/a through 0.4.0.
Title WordPress WPEX Replace DB Urls Plugin <= 0.4.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:02.152Z

Reserved: 2025-01-07T10:23:51.454Z

Link: CVE-2025-22586

cve-icon Vulnrichment

Updated: 2025-01-13T14:14:44.288Z

cve-icon NVD

Status : Deferred

Published: 2025-01-13T14:15:12.490

Modified: 2026-06-17T08:48:29.117

Link: CVE-2025-22586

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T06:45:36Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')