Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brian Messenlehner WP-Announcements wp-announcements allows Reflected XSS.This issue affects WP-Announcements: from n/a through <= 1.8.
Published: 2025-01-21
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input during web page generation in the WP‑Announcements plugin allows reflected cross‑site scripting. The vulnerability is a classic input‑validation flaw (CWE‑79) that can enable attackers to inject arbitrary script into a page viewed by other users, potentially leading to session hijacking, data theft, or defacement.

Affected Systems

The vulnerability affects the WordPress plugin WP‑Announcements from the vendor Brian Messenlehner, for all releases up to and including version 1.8. Users running any versions 1.8 or earlier are impacted, regardless of the WordPress core version.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, while the EPSS score of less than 1% denotes a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. It is likely exploitable via a crafted URL that, when visited by an authenticated or unauthenticated user, reflects malicious script back into the page. The requirement for user interaction and unprivileged access makes this a moderate‑to‑high risk scenario, warranting prompt remediation.

Generated by OpenCVE AI on May 1, 2026 at 19:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP‑Announcements plugin to the latest available version, which removes the input neutralization flaw.
  • If an upgrade is not immediately possible, completely remove the WP‑Announcements plugin from the installation until a patched version is released.
  • Apply strict content‑security‑policy headers or XSS protection headers at the web‑server level to mitigate reflected script execution for any remaining vulnerable content.

Generated by OpenCVE AI on May 1, 2026 at 19:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3206 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brian Messenlehner of WebDevStudios WP-Announcements allows Reflected XSS. This issue affects WP-Announcements: from n/a through 1.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brian Messenlehner of WebDevStudios WP-Announcements allows Reflected XSS. This issue affects WP-Announcements: from n/a through 1.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brian Messenlehner WP-Announcements wp-announcements allows Reflected XSS.This issue affects WP-Announcements: from n/a through <= 1.8.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 21 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Jan 2025 17:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brian Messenlehner of WebDevStudios WP-Announcements allows Reflected XSS. This issue affects WP-Announcements: from n/a through 1.8.
Title WordPress WP-Announcements plugin <= 1.8 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:10.695Z

Reserved: 2025-01-16T11:25:20.560Z

Link: CVE-2025-23489

cve-icon Vulnrichment

Updated: 2025-01-21T18:36:05.492Z

cve-icon NVD

Status : Deferred

Published: 2025-01-21T18:15:16.740

Modified: 2026-06-17T08:54:46.770

Link: CVE-2025-23489

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T20:00:13Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')