Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Stursberg Browser-Update-Notify browser-update-notify allows Reflected XSS.This issue affects Browser-Update-Notify: from n/a through <= 0.2.1.
Published: 2025-03-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is due to improper neutralization of input during web page generation, allowing reflected XSS. A malicious user can embed JavaScript or other code in a URL that the plugin echoes unescaped, which is then executed in a victim’s browser when that URL is visited.

Affected Systems

Michael Stursberg’s Browser‑Update‑Notify plugin for WordPress is affected. All installations running version 0.2.1 or earlier are vulnerable; no later versions are listed as impacted.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. The EPSS score of less than 1 % suggests that exploitation is currently uncommon. The vulnerability is not listed in CISA KEV. Based on the description, it is inferred that an attacker could create a malicious link that contains the payload and encourage a user to click on it. The vulnerability requires the victim’s browser to execute the injected script, provided that no defenses such as a content‑security policy or server‑side sanitization are in place.

Generated by OpenCVE AI on May 2, 2026 at 11:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Browser‑Update‑Notify plugin to a version newer than 0.2.1 if a release is available.
  • Deactivate or uninstall the plugin if an upgrade cannot be applied promptly.
  • Implement a content‑security‑policy header that blocks inline scripts or otherwise enforces proper escaping of plugin output.

Generated by OpenCVE AI on May 2, 2026 at 11:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5744 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Browser-Update-Notify allows Reflected XSS. This issue affects Browser-Update-Notify: from n/a through 0.2.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Browser-Update-Notify allows Reflected XSS. This issue affects Browser-Update-Notify: from n/a through 0.2.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Stursberg Browser-Update-Notify browser-update-notify allows Reflected XSS.This issue affects Browser-Update-Notify: from n/a through <= 0.2.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Browser-Update-Notify allows Reflected XSS. This issue affects Browser-Update-Notify: from n/a through 0.2.1.
Title WordPress Browser-Update-Notify plugin <= 0.2.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:10.679Z

Reserved: 2025-01-16T11:25:20.560Z

Link: CVE-2025-23490

cve-icon Vulnrichment

Updated: 2025-03-03T20:23:29.590Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:38.077

Modified: 2026-04-23T15:23:49.357

Link: CVE-2025-23490

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T11:15:19Z

Weaknesses