Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vikash Srivastava VSTEMPLATE Creator vstemplate-creator allows Reflected XSS.This issue affects VSTEMPLATE Creator: from n/a through <= 2.0.2.
Published: 2025-02-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input that allows an attacker to inject malicious script into an HTTP response. When a crafted request is made, the plugin echoes the attacker‑supplied data without adequate encoding, enabling execution of arbitrary JavaScript in the context of any user who views the affected page. This can lead to theft of session cookies, defacement of the site, or‑consensual actions on behalf of the user. The weakness corresponds to CWE‑79, reflecting a classic reflected XSS flaw.

Affected Systems

Vikash Srivastava’s VSTEMPLATE Creator WordPress plugin is affected. All releases from the product’s earliest version up to and including 2.0.2 are vulnerable. Any WordPress installation that has this plugin installed and enabled is at risk.

Risk and Exploitability

The CVSS score of 7.1 places the flaw in the moderate‑to‑high severity range. The EPSS score of less than 1% indicates a low probability of exploitation currently, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a Remote user sending a specifically crafted URL or embedding a malicious link. A victim who opens the link will be exposed to the injected script, making the flaw exploitable from a web browser context without any additional authentication.

Generated by OpenCVE AI on May 1, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade VSTEMPLATE Creator to the latest version that removes the reflected XSS flaw.
  • If an upgrade is not immediately possible, deactivate or uninstall the plugin to eliminate the attack surface.
  • As a temporary measure, implement input sanitization or escape user‑supplied values in the plugin’s output and ensure the site’s CSP policy blocks inline scripts.

Generated by OpenCVE AI on May 1, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3207 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vikashsrivastava1111989 VSTEMPLATE Creator allows Reflected XSS. This issue affects VSTEMPLATE Creator: from n/a through 2.0.2.
History

Fri, 24 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vikashsrivastava1111989 VSTEMPLATE Creator allows Reflected XSS. This issue affects VSTEMPLATE Creator: from n/a through 2.0.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vikash Srivastava VSTEMPLATE Creator vstemplate-creator allows Reflected XSS.This issue affects VSTEMPLATE Creator: from n/a through <= 2.0.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00035}

 epss

{'score': 0.00045}

Mon, 03 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vikashsrivastava1111989 VSTEMPLATE Creator allows Reflected XSS. This issue affects VSTEMPLATE Creator: from n/a through 2.0.2.
Title WordPress VSTEMPLATE Creator plugin <= 2.0.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:10.705Z

Reserved: 2025-01-16T11:25:20.560Z

Link: CVE-2025-23491

cve-icon Vulnrichment

Updated: 2025-02-03T16:07:29.620Z

cve-icon NVD

Status : Deferred

Published: 2025-02-03T15:15:20.640

Modified: 2026-04-23T15:23:49.460

Link: CVE-2025-23491

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T18:00:09Z

Weaknesses