Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weiluri WP Order By wp-order-by allows Reflected XSS.This issue affects WP Order By: from n/a through <= 1.4.2.
Published: 2025-01-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Order By plugin does not properly neutralize user-provided input, enabling a reflected Cross‑Site Scripting vulnerability. When the plugin renders data that includes untrusted input, malicious JavaScript can be delivered to a victim’s browser.

Affected Systems

WordPress installations that have the WP Order By plugin version 1.4.2 or earlier installed.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact for the vulnerability. The EPSS score of less than 1 % indicates a low likelihood of exploitation at this time, and the flaw is not listed in CISA’s KEV catalog. The attack vector is inferred to be a user visiting a crafted URL or submitting a malicious form that the plugin reflects back, which is typical for reflected XSS flaws.

Generated by OpenCVE AI on May 2, 2026 at 06:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Order By to any release newer than 1.4.2.
  • If an upgrade cannot be performed immediately, disable the WP Order By plugin to eliminate the reflection source.
  • Implement a strong content‑security‑policy to restrict execution of inline scripts and reduce the impact of any residual XSS exploitation.

Generated by OpenCVE AI on May 2, 2026 at 06:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2979 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Uri Weil WP Order By allows Reflected XSS.This issue affects WP Order By: from n/a through 1.4.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Uri Weil WP Order By allows Reflected XSS.This issue affects WP Order By: from n/a through 1.4.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weiluri WP Order By wp-order-by allows Reflected XSS.This issue affects WP Order By: from n/a through <= 1.4.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 15 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Uri Weil WP Order By allows Reflected XSS.This issue affects WP Order By: from n/a through 1.4.2.
Title WordPress WP Order By Plugin <= 1.4.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:06.758Z

Reserved: 2025-01-07T21:04:45.367Z

Link: CVE-2025-22765

cve-icon Vulnrichment

Updated: 2025-01-15T19:10:05.353Z

cve-icon NVD

Status : Deferred

Published: 2025-01-15T16:15:39.543

Modified: 2026-06-17T08:49:53.597

Link: CVE-2025-22765

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T06:30:36Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')