Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vbout Marketing Automation marketing-automation allows Reflected XSS.This issue affects Marketing Automation: from n/a through <= 1.2.6.8.
Published: 2025-02-23
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Improper Neutralization of Input During Web Page Generation that allows attackers to inject arbitrary HTML and JavaScript into pages served by the Marketing Automation plugin. A reflected XSS flaw enables malicious code to execute in the browser of any user who views a crafted page or link, potentially leading to session hijacking, credential theft, or redirection to phishing sites. This weakness is identified by CWE-79 and poses a client‑side code execution risk.

Affected Systems

The flaw affects the vbout Marketing Automation plugin for WordPress, versions from the initial release through and including 1.2.6.8. All WordPress sites that have this plugin installed and have not applied a later update are susceptible.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact, while the EPSS score of less than 1 % suggests exploitation is unlikely at this moment. The vulnerability is not listed in the CISA KEV catalog. Attackers could exploit the flaw by crafting a malicious URL that includes unfiltered input, causing it to be reflected in the page response. No specific authentication or elevated privileges are required; the threat is remote and depends on the victim’s interaction with the reflected content.

Generated by OpenCVE AI on May 1, 2026 at 15:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Marketing Automation plugin to a version newer than 1.2.6.8.
  • If an immediate update is not possible, disable or restrict any plugin features that accept user‑supplied data and validate or escape all output on the server side.
  • Implement a strict Content Security Policy that blocks inline scripts and restricts external script sources to trusted domains.

Generated by OpenCVE AI on May 1, 2026 at 15:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4397 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vbout Marketing Automation allows Reflected XSS. This issue affects Marketing Automation: from n/a through 1.2.6.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vbout Marketing Automation allows Reflected XSS. This issue affects Marketing Automation: from n/a through 1.2.6.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vbout Marketing Automation marketing-automation allows Reflected XSS.This issue affects Marketing Automation: from n/a through <= 1.2.6.8.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 24 Feb 2025 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 23 Feb 2025 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vbout Marketing Automation allows Reflected XSS. This issue affects Marketing Automation: from n/a through 1.2.6.8.
Title WordPress Marketing Automation Plugin <= 1.2.6.8 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:02.775Z

Reserved: 2025-01-07T21:02:24.870Z

Link: CVE-2025-22631

cve-icon Vulnrichment

Updated: 2025-02-24T11:58:26.331Z

cve-icon NVD

Status : Deferred

Published: 2025-02-23T23:15:10.290

Modified: 2026-06-17T08:48:50.130

Link: CVE-2025-22631

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T16:00:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')