Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in altima-interactive Altima Lookbook Free for WooCommerce altima-lookbook-free-for-woocommerce allows Reflected XSS.This issue affects Altima Lookbook Free for WooCommerce: from n/a through <= 1.1.0.
Published: 2025-01-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation allows an attacker to inject arbitrary client‑side scripts via user‑controlled data into the Altima Lookbook Free for WooCommerce plugin. The vulnerability is a classic reflected XSS, potentially enabling session hijacking, defacement, or phishing attacks when a victim visits a crafted URL. The weakness resides in the plugin’s handling of query parameters or form fields without proper escaping, correlating with CWE‑79.

Affected Systems

The Altima Lookbook Free for WooCommerce plugin developed by Altima‑Interactive, versions from the earliest release through 1.1.0, is affected. Users of any WordPress site installing this plugin version are exposed.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate‑to‑high severity flaw. The EPSS score of less than 1% suggests that exploitation is unlikely at present. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack vector is web interaction with unsanitized plugin inputs, requiring a victim to view a maliciously crafted URL or form to trigger script execution.

Generated by OpenCVE AI on May 2, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Altima Lookbook Free for WooCommerce to any newer version than 1.1.0, if such a version has been released.
  • If an upgrade is not feasible, immediately disable or delete the plugin to remove the XSS entry point.
  • Configure a web application firewall or server‑side script filtering to block or sanitize unexpected script payloads in user inputs.

Generated by OpenCVE AI on May 2, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3176 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in altimawebsystems.com Altima Lookbook Free for WooCommerce allows Reflected XSS.This issue affects Altima Lookbook Free for WooCommerce: from n/a through 1.1.0.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in altimawebsystems.com Altima Lookbook Free for WooCommerce allows Reflected XSS.This issue affects Altima Lookbook Free for WooCommerce: from n/a through 1.1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in altima-interactive Altima Lookbook Free for WooCommerce altima-lookbook-free-for-woocommerce allows Reflected XSS.This issue affects Altima Lookbook Free for WooCommerce: from n/a through <= 1.1.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 17 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in altimawebsystems.com Altima Lookbook Free for WooCommerce allows Reflected XSS.This issue affects Altima Lookbook Free for WooCommerce: from n/a through 1.1.0.
Title WordPress Altima Lookbook Free for WooCommerce plugin <= 1.1.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:53.711Z

Reserved: 2025-01-16T11:23:57.519Z

Link: CVE-2025-23429

cve-icon Vulnrichment

Updated: 2025-01-17T17:22:52.240Z

cve-icon NVD

Status : Deferred

Published: 2025-01-16T20:15:34.057

Modified: 2026-04-29T10:16:40.390

Link: CVE-2025-23429

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T06:30:36Z

Weaknesses