Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CantonBolo WordPress 淘宝客插件 taobaoke allows Reflected XSS.This issue affects WordPress 淘宝客插件: from n/a through <= 1.1.2.
Published: 2025-02-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Improper Neutralization of Input During Web Page Generation error, allowing a Reflected Cross‑Site Scripting (XSS) attack in the CantonBolo WordPress 淘宝客插件 taobaoke plugin. An attacker can inject malicious scripts that are reflected back to a victim’s browser if certain input parameters are not properly escaped. The impact is that an attacker can execute arbitrary JavaScript in the context of a site visitor, potentially leading to cookie theft, session hijacking, or defacement.

Affected Systems

CantonBolo WordPress 淘宝客插件 taobaoke plugin, versions from unspecified starting point through 1.1.2 are affected. Users should verify that their installation is not at or below 1.1.2.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact, while an EPSS score of less than 1% shows that publicly known exploitation likelihood is currently low. The vulnerability is not listed in the CISA KEV catalog. Attackers would typically trigger the XSS by crafting a specially formed URL or form input that is processed by the plugin and reflected in the page response. No authentication or privileged access is required to exploit this reflected vulnerability.

Generated by OpenCVE AI on May 1, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the taobaoke plugin to the latest available version that addresses the XSS flaw.
  • If the plugin is not essential, consider disabling or removing it from the WordPress installation.
  • Ensure that any user‑supplied data displayed by the plugin or site is properly escaped or sanitized to prevent script injection.

Generated by OpenCVE AI on May 1, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3208 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CantonBolo WordPress 淘宝客插件 allows Reflected XSS. This issue affects WordPress 淘宝客插件: from n/a through 1.1.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CantonBolo WordPress 淘宝客插件 allows Reflected XSS. This issue affects WordPress 淘宝客插件: from n/a through 1.1.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CantonBolo WordPress 淘宝客插件 taobaoke allows Reflected XSS.This issue affects WordPress 淘宝客插件: from n/a through <= 1.1.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00032}

 epss

{'score': 0.00035}

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00072}

 epss

{'score': 0.00032}

Fri, 14 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 14 Feb 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CantonBolo WordPress 淘宝客插件 allows Reflected XSS. This issue affects WordPress 淘宝客插件: from n/a through 1.1.2.
Title WordPress 淘宝客插件 plugin <= 1.1.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:10.724Z

Reserved: 2025-01-16T11:25:26.987Z

Link: CVE-2025-23492

cve-icon Vulnrichment

Updated: 2025-02-14T15:36:27.812Z

cve-icon NVD

Status : Deferred

Published: 2025-02-14T13:15:43.573

Modified: 2026-06-17T08:54:48.187

Link: CVE-2025-23492

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T16:45:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')