Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rhizomaticweb RWS Enquiry And Lead Follow-up rws-enquiry allows Reflected XSS.This issue affects RWS Enquiry And Lead Follow-up: from n/a through <= 1.0.
Published: 2025-03-26
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin fails to properly neutralize user‑supplied data before embedding it into generated pages, allowing attackers to inject malicious scripts that are executed in the browser of anyone who views affected pages. This cross‑site scripting flaw can lead to credential theft, session hijacking, defacement or the execution of arbitrary JavaScript in the victim’s context, thereby compromising the confidentiality, integrity, and availability of the site’s users.

Affected Systems

The weakness exists in the Rhizomaticweb RWS Enquiry And Lead Follow‑up WordPress plugin. Any WordPress installation running any version of the plugin from the initial release up to and including 1.0 is vulnerable. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 7.1 classifies the flaw as high severity. The EPSS score of less than 1% indicates a very low but non‑zero probability of exploitation in the wild, and the vulnerability is not currently listed in CISA’s KEV catalog. Inferred from the description, the most likely attack vector is remote, whereby an attacker crafts a link or submits data that contains malicious code, which is then reflected back into the application’s output and executed in the victim’s browser.

Generated by OpenCVE AI on May 1, 2026 at 13:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to the latest version (or remove it completely if an update is not available).
  • Ensure that any data received by the plugin is strictly validated and sanitized before being incorporated into responses, using WordPress escaping functions such as esc_html.
  • Restrict the plugin’s functionality by disabling unused form fields and enabling a site‑wide script‑blocking or web‑application firewall rule that blocks injected JavaScript.

Generated by OpenCVE AI on May 1, 2026 at 13:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8198 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound RWS Enquiry And Lead Follow-up allows Reflected XSS. This issue affects RWS Enquiry And Lead Follow-up: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound RWS Enquiry And Lead Follow-up allows Reflected XSS. This issue affects RWS Enquiry And Lead Follow-up: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rhizomaticweb RWS Enquiry And Lead Follow-up rws-enquiry allows Reflected XSS.This issue affects RWS Enquiry And Lead Follow-up: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 26 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 26 Mar 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound RWS Enquiry And Lead Follow-up allows Reflected XSS. This issue affects RWS Enquiry And Lead Follow-up: from n/a through 1.0.
Title WordPress RWS Enquiry And Lead Follow-up plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:09.727Z

Reserved: 2025-01-16T11:24:55.800Z

Link: CVE-2025-23460

cve-icon Vulnrichment

Updated: 2025-03-26T15:47:58.374Z

cve-icon NVD

Status : Deferred

Published: 2025-03-26T15:15:53.830

Modified: 2026-06-17T08:54:32.907

Link: CVE-2025-23460

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T13:45:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')