Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arash Safari QMean – WordPress Did You Mean qmean allows Reflected XSS.This issue affects QMean – WordPress Did You Mean: from n/a through <= 2.0.
Published: 2025-02-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is improper neutralization of input during web page generation, exposing a reflected XSS flaw that conforms to CWE‑79. An attacker can embed arbitrary JavaScript into a page that is subsequently rendered to the victim, allowing session hijacking, phishing, or other client‑side attacks. The flaw arises because the plugin reflects unescaped user supplied data back to the browser.

Affected Systems

Arash Safari’s QMean – WordPress Did You Mean plugin is impacted. Any WordPress site that has installed QMean version 2.0 or earlier is vulnerable. Versions released after 2.0 are not affected.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, while the EPSS score of less than 1% implies a low exploitation probability at present. The vulnerability is not listed in CISA KEV. Exploitation requires an attacker to drive a victim to a crafted URL; the plugin’s input handling reflects the attacker’s data directly into the page without proper escaping. Consequently, the attack vector is remote via an untrusted web channel accessible to external users.

Generated by OpenCVE AI on May 1, 2026 at 16:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the QMean plugin to a release newer than 2.0, or uninstall the plugin if no upgrade is available.
  • Disable or remove any functionality that exposes unsanitized user input before it is rendered.
  • Configure a web application firewall or security plugin to detect and block injected scripts, enforcing strict XSS filtering rules.

Generated by OpenCVE AI on May 1, 2026 at 16:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3175 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound QMean – WordPress Did You Mean allows Reflected XSS. This issue affects QMean – WordPress Did You Mean: from n/a through 2.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound QMean – WordPress Did You Mean allows Reflected XSS. This issue affects QMean – WordPress Did You Mean: from n/a through 2.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arash Safari QMean – WordPress Did You Mean qmean allows Reflected XSS.This issue affects QMean – WordPress Did You Mean: from n/a through <= 2.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00032}

 epss

{'score': 0.00035}

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00072}

 epss

{'score': 0.00032}

Fri, 14 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 14 Feb 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound QMean – WordPress Did You Mean allows Reflected XSS. This issue affects QMean – WordPress Did You Mean: from n/a through 2.0.
Title WordPress QMean plugin <= 2.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:08.518Z

Reserved: 2025-01-16T11:23:57.519Z

Link: CVE-2025-23428

cve-icon Vulnrichment

Updated: 2025-02-14T15:36:36.862Z

cve-icon NVD

Status : Deferred

Published: 2025-02-14T13:15:43.160

Modified: 2026-06-17T08:54:17.430

Link: CVE-2025-23428

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T16:45:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')