Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blrt Blrt WP Embed blrt-wp-embed allows Reflected XSS.This issue affects Blrt WP Embed: from n/a through <= 1.6.9.
Published: 2025-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Blrt WP Embed plugin contains an improper neutralization of input vulnerability that allows reflected cross‑site scripting. User supplied data is incorporated into web pages without sufficient escaping, letting an attacker inject and execute arbitrary JavaScript in the context of victim browsers. This can compromise confidentiality, integrity, and availability for users who view the affected pages.

Affected Systems

WordPress installations that have the Blrt WP Embed plugin installed with a version equal to or older than 1.6.9. The vendor is Blrt and the affected product is the Blrt WP Embed plugin.

Risk and Exploitability

The CVSS v3 score of 7.1 classifies this as a high‑severity vulnerability, and the EPSS score of less than 1% indicates a low probability of exploitation at the present time. It is not listed in the CISA KEV catalog, which reduces the likelihood of widespread, targeted exploitation. Based on the description, it is inferred that an attacker could craft a URL or form containing malicious input that the plugin reflects in the browser, thereby delivering the XSS payload to any user who visits the affected page.

Generated by OpenCVE AI on May 2, 2026 at 05:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Blrt WP Embed plugin to a fixed version (e.g., 1.7.0 or later) to remove the reflected XSS flaw.
  • If an immediate update is not possible, disable the plugin or block the parameter that accepts untrusted input from being reflected.
  • Ensure that any data still reflected by the plugin is sanitized and escaped using WordPress’s built‑in functions such as sanitize_text_field() or wp_kses() before outputting it to the browser.

Generated by OpenCVE AI on May 2, 2026 at 05:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3217 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blrt Blrt WP Embed allows Reflected XSS. This issue affects Blrt WP Embed: from n/a through 1.6.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blrt Blrt WP Embed allows Reflected XSS. This issue affects Blrt WP Embed: from n/a through 1.6.9. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blrt Blrt WP Embed blrt-wp-embed allows Reflected XSS.This issue affects Blrt WP Embed: from n/a through <= 1.6.9.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 22 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Jan 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blrt Blrt WP Embed allows Reflected XSS. This issue affects Blrt WP Embed: from n/a through 1.6.9.
Title WordPress Blrt WP Embed plugin <= 1.6.9 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Blrt Blrt Wp Embed
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:10.835Z

Reserved: 2025-01-16T11:25:35.343Z

Link: CVE-2025-23507

cve-icon Vulnrichment

Updated: 2025-01-22T16:17:27.758Z

cve-icon NVD

Status : Deferred

Published: 2025-01-22T15:15:16.910

Modified: 2026-04-23T15:23:52.277

Link: CVE-2025-23507

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T06:00:13Z

Weaknesses