Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SecureSubmit Heartland Management Terminal allows Reflected XSS. This issue affects Heartland Management Terminal: from n/a through 1.3.0.
Published: 2025-03-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic Cross‑Site Scripting flaw caused by improper neutralization of user input during web page generation. Malicious actors can embed JavaScript in a crafted URL or form field that the plugin reflects back to the browser, allowing the execution of arbitrary scripts in the victim’s context. This can be used for session hijacking, cookie theft, or defacement. The weakness is classified as CWE‑79.

Affected Systems

The WordPress Heartland Management Terminal plugin from SecureSubmit is affected for all releases from the initial version up to and including version 1.3.0. Any WordPress site that has this plugin installed and running a vulnerable version is susceptible.

Risk and Exploitability

With a CVSS score of 7.1 the flaw is considered medium‑high severity. The EPSS score of <1% indicates a very low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The most likely attack vector is remote, via a crafted URL or input field that the plugin reflects. An attacker only needs to convince a user to visit a malicious link or submit a form to trigger the XSS payload.

Generated by OpenCVE AI on May 2, 2026 at 04:01 UTC.

Remediation

Vendor Solution

Update the WordPress Heartland Management Terminal wordpress plugin to the latest available version (at least 1.4.0).

OpenCVE Recommended Actions

  • Upgrade the Heartland Management Terminal plugin to version 1.4.0 or later. This version removes the reflected XSS flaw.
  • Activate a Content Security Policy that blocks inline scripts and restricts script execution to trusted sources on pages served by the plugin.
  • Disable or uninstall the Heartland Management Terminal plugin if the site does not rely on it.

Generated by OpenCVE AI on May 2, 2026 at 04:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5740 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SecureSubmit Heartland Management Terminal allows Reflected XSS. This issue affects Heartland Management Terminal: from n/a through 1.3.0.
History

Tue, 28 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SecureSubmit Heartland Management Terminal heartland-management-terminal allows Reflected XSS.This issue affects Heartland Management Terminal: from n/a through <= 1.3.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SecureSubmit Heartland Management Terminal allows Reflected XSS. This issue affects Heartland Management Terminal: from n/a through 1.3.0.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SecureSubmit Heartland Management Terminal allows Reflected XSS. This issue affects Heartland Management Terminal: from n/a through 1.3.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SecureSubmit Heartland Management Terminal heartland-management-terminal allows Reflected XSS.This issue affects Heartland Management Terminal: from n/a through <= 1.3.0.
References

Wed, 05 Mar 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SecureSubmit Heartland Management Terminal allows Reflected XSS. This issue affects Heartland Management Terminal: from n/a through 1.3.0.
Title WordPress Heartland Management Terminal plugin <= 1.3.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:11.883Z

Reserved: 2025-01-16T11:25:42.451Z

Link: CVE-2025-23520

cve-icon Vulnrichment

Updated: 2025-03-05T16:55:05.403Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:39.630

Modified: 2026-04-28T19:28:44.930

Link: CVE-2025-23520

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T04:15:06Z

Weaknesses