Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in intelligence_lab Scanventory woocommerce-inventory-management allows Reflected XSS.This issue affects Scanventory: from n/a through <= 1.1.3.
Published: 2025-01-13
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An input‑validation flaw in the Scanventory WooCommerce inventory‑management plugin allows reflected cross‑site scripting (CWE‑79). When an attacker supplies malicious data, the plugin includes it directly in the generated HTML response without proper encoding, giving the attacker the ability to execute arbitrary JavaScript in a victim’s browser. This can lead to cookie theft, session hijacking, defacement or the execution of destructive commands if the victim is an administrator.

Affected Systems

The vulnerability affects the Scanventory plugin from intelligence_lab for WordPress, with affected releases up through version 1.1.3. Any WordPress site that has Scanventory 1.1.3 or older installed is potentially impacted.

Risk and Exploitability

The vulnerability is scored with a CVSS of 7.1, indicating high severity, but its EPSS score of less than 1% suggests low likelihood of exploitation so far. It is not listed in the CISA KEV catalog. The attack can be performed by an attacker who can send a crafted HTTP request to an affected WordPress site; the malicious payload is reflected in the response, requiring an authenticated or unauthenticated web user to view the injected script. The plausible route is a simple URL alteration or form submission that emits the supplied value back to the browser.

Generated by OpenCVE AI on May 1, 2026 at 21:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Scanventory plugin to version 1.1.4 or newer, which removes the reflected XSS vector.
  • If an immediate upgrade is not possible, restrict access to the affected administrative pages or network segment where Scanventory is reachable, reducing the attack surface.
  • Ensure that any input fields or query parameters in Scanventory are HTML‑encoded or sanitized before outputting them back to the user.

Generated by OpenCVE AI on May 1, 2026 at 21:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2863 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scanventory.net Scanventory allows Reflected XSS.This issue affects Scanventory: from n/a through 1.1.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scanventory.net Scanventory allows Reflected XSS.This issue affects Scanventory: from n/a through 1.1.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in intelligence_lab Scanventory woocommerce-inventory-management allows Reflected XSS.This issue affects Scanventory: from n/a through <= 1.1.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 13 Jan 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Jan 2025 13:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scanventory.net Scanventory allows Reflected XSS.This issue affects Scanventory: from n/a through 1.1.3.
Title WordPress Scanventory Plugin <= 1.1.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:02.307Z

Reserved: 2025-01-07T10:23:51.454Z

Link: CVE-2025-22588

cve-icon Vulnrichment

Updated: 2025-01-13T14:15:07.325Z

cve-icon NVD

Status : Deferred

Published: 2025-01-13T14:15:12.660

Modified: 2026-06-17T08:48:30.180

Link: CVE-2025-22588

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:00:14Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')