Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bavington WP Headmaster wp-headmaster allows Reflected XSS.This issue affects WP Headmaster: from n/a through <= 0.3.
Published: 2025-01-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Headmaster plugin for WordPress contains a reflected cross‑site scripting flaw due to improper neutralization of user input during page generation. The vulnerability is marked CWE‑79. An attacker can embed malicious scripts in input that the plugin outputs unfiltered, allowing code execution in the browser of users who view the vulnerable page.

Affected Systems

WordPress installations that have the WP Headmaster plugin from bavington installed at version 0.3 or earlier. The vulnerability applies to all WordPress sites that have this plugin enabled. No additional version details are provided in the CNA data beyond the inclusive range up to 0.3.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity reflected XSS flaw that can be triggered through a crafted URL or input field. The EPSS score of < 1 % suggests a very low but non‑zero probability of exploitation; it is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could supply malicious input that is reflected by the plugin, potentially enabling script execution in users’ browsers. The likely attack vector is remote, through the web interface, but the exact impact on confidentiality, integrity or availability depends on the victim’s privileges and the nature of the injected script.

Generated by OpenCVE AI on May 2, 2026 at 06:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Headmaster to a version that includes a fix for the reflected XSS flaw or uninstall the plugin if upgrading is not possible.
  • Disable the plugin if the site is not dependent on its functionality.
  • Implement a content security policy that restricts script execution or use a web application firewall to block reflected script payloads as an interim safeguard.

Generated by OpenCVE AI on May 2, 2026 at 06:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2970 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in James Bavington WP Headmaster allows Reflected XSS.This issue affects WP Headmaster: from n/a through 0.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in James Bavington WP Headmaster allows Reflected XSS.This issue affects WP Headmaster: from n/a through 0.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bavington WP Headmaster wp-headmaster allows Reflected XSS.This issue affects WP Headmaster: from n/a through <= 0.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 15 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in James Bavington WP Headmaster allows Reflected XSS.This issue affects WP Headmaster: from n/a through 0.3.
Title WordPress WP Headmaster Plugin <= 0.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:06.702Z

Reserved: 2025-01-07T21:04:32.545Z

Link: CVE-2025-22755

cve-icon Vulnrichment

Updated: 2025-01-15T19:05:28.599Z

cve-icon NVD

Status : Deferred

Published: 2025-01-15T16:15:38.417

Modified: 2026-06-17T08:49:49.150

Link: CVE-2025-22755

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T06:30:36Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')