Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Berkman Klein Center Amber amberlink allows Reflected XSS.This issue affects Amber: from n/a through <= 1.4.4.
Published: 2025-01-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Amber plugin for WordPress contains an input sanitization flaw that allows attackers to inject arbitrary JavaScript into the page that is returned to the user. This reflected XSS can be triggered when a user visits a specially crafted URL or submits a form field that the plugin echoes back without proper escaping. The immediate impact is that attackers can steal session cookies, deface the website, or perform phishing attacks against users who view the vulnerable page. The weakness is a typical Cross‑Site Scripting flaw (CWE‑79).

Affected Systems

WordPress sites that have the Berkman Klein Center Amber plugin installed, specifically versions up to and including 1.4.4. Any installation of Amber 1.4.4 or earlier is affected; newer versions are not listed as vulnerable.

Risk and Exploitability

The CVSS score of 7.1 classifies this as a high‑severity vulnerability. The EPSS score is below 1%, indicating that the probability of exploitation is very low at this time, and the vulnerability is not listed in the CISA KEV catalogue. Based on the description, it is inferred that reflected XSS can be triggered from arbitrary URLs, allowing an attacker with only network access to send a crafted link to a target user; the absence of authentication or restrictive input handling means anyone who visits the malformed URL may be affected.

Generated by OpenCVE AI on May 2, 2026 at 06:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Amber plugin to a version newer than 1.4.4 to eliminate the XSS flaw.
  • If an upgrade cannot be performed immediately, deactivate or remove the Amber plugin from the WordPress installation to prevent exploitation.
  • Apply secure coding practices by ensuring all user input is properly escaped or encoded before output, and consider disabling WordPress file editing and enabling basic hardening measures such as OWASP ModSecurity rules.

Generated by OpenCVE AI on May 2, 2026 at 06:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2969 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Berkman Center for Internet & Society Amber allows Reflected XSS.This issue affects Amber: from n/a through 1.4.4.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Berkman Center for Internet & Society Amber allows Reflected XSS.This issue affects Amber: from n/a through 1.4.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Berkman Klein Center Amber amberlink allows Reflected XSS.This issue affects Amber: from n/a through <= 1.4.4.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 15 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Berkman Center for Internet & Society Amber allows Reflected XSS.This issue affects Amber: from n/a through 1.4.4.
Title WordPress Amber Plugin <=1.4.4 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:53.745Z

Reserved: 2025-01-07T21:04:32.545Z

Link: CVE-2025-22754

cve-icon Vulnrichment

Updated: 2025-01-15T19:05:02.996Z

cve-icon NVD

Status : Deferred

Published: 2025-01-15T16:15:38.260

Modified: 2026-04-29T10:16:39.990

Link: CVE-2025-22754

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T06:30:36Z

Weaknesses