Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Roberto Bottalico Qr Code and Barcode Scanner Reader qr-code-and-barcode-scanner-reader allows Stored XSS.This issue affects Qr Code and Barcode Scanner Reader: from n/a through <= 1.0.0.
Published: 2025-01-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Qr Code and Barcode Scanner Reader plugin for WordPress contains a stored Cross‑Site Scripting flaw (CWE‑79). When untrusted input supplied to the plugin is later rendered as part of a web page, an attacker can embed malicious JavaScript that executes in the browsers of any users who view the affected content. This can lead to session hijacking, credential theft, defacement, or other client‑side compromise.

Affected Systems

The vulnerability affects the Roberto Bottalico Qr Code and Barcode Scanner Reader WordPress plugin in all releases from the initial version through version 1.0.0. Site owners running any of these versions are potentially exposed.

Risk and Exploitability

The CVSS score of 6.5 classifies the flaw as medium severity. The EPSS score of under 1 % indicates that exploitation is unlikely to be widespread, and the flaw is not listed in CISA’s KEV catalog. Potential attackers would need to submit malicious data to the plugin and an unsuspecting visitor would have to load the page that displays the stored content. This reliance on user interaction reduces the likelihood of exploitation but does not eliminate it.

Generated by OpenCVE AI on May 1, 2026 at 22:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Qr Code and Barcode Scanner Reader plugin to a version newer than 1.0.0 as soon as a patch is released
  • If an update is not yet available, temporarily disable or delete the plugin to prevent the flaw from being used
  • As a last‑resort measure, enforce a strict Content Security Policy that blocks inline scripts or enforce input sanitization by whitelisting allowed characters before storing data to the database

Generated by OpenCVE AI on May 1, 2026 at 22:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3022 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 4wpbari Qr Code and Barcode Scanner Reader allows Stored XSS.This issue affects Qr Code and Barcode Scanner Reader: from n/a through 1.0.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 4wpbari Qr Code and Barcode Scanner Reader allows Stored XSS.This issue affects Qr Code and Barcode Scanner Reader: from n/a through 1.0.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Roberto Bottalico Qr Code and Barcode Scanner Reader qr-code-and-barcode-scanner-reader allows Stored XSS.This issue affects Qr Code and Barcode Scanner Reader: from n/a through <= 1.0.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 10 Jan 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Jan 2025 15:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 4wpbari Qr Code and Barcode Scanner Reader allows Stored XSS.This issue affects Qr Code and Barcode Scanner Reader: from n/a through 1.0.0.
Title WordPress Qr Code and Barcode Scanner Reader plugin <= 1.0.0 - Stored Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:08.060Z

Reserved: 2025-01-07T21:05:54.009Z

Link: CVE-2025-22819

cve-icon Vulnrichment

Updated: 2025-01-10T20:19:16.890Z

cve-icon NVD

Status : Deferred

Published: 2025-01-09T16:16:32.000

Modified: 2026-06-17T08:50:19.650

Link: CVE-2025-22819

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:15:27Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')