Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 Track Page Scroll track-page-scroll allows Reflected XSS.This issue affects Track Page Scroll: from n/a through <= 1.0.2.
Published: 2025-03-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Track Page Scroll WordPress plugin allows an attacker to inject malicious script into a page that is then reflected back to the victim. The improper neutralization of input during page generation means that crafted input is executed by browsers when the page loads, leading to cookie theft, session hijacking, or website defacement. This type of flaw can be exploited through crafted URLs or form fields and directly compromises confidentiality and integrity of user sessions.

Affected Systems

The affected product is the WordPress plugin Track Page Scroll, authored by mndpsingh287, versions up to and including 1.0.2. Any installation using these versions is vulnerable until updated.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, and the EPSS score of less than 1% suggests that the exploitation probability is currently low, consistent with no listing in the CISA KEV catalog. The likely attack vector involves redirecting a user to a malicious link that includes crafted parameters handled by the plugin. Once a user visits the link, the reflected script runs in the victim’s browser, enabling an attacker to compromise that session or deface the site.

Generated by OpenCVE AI on May 2, 2026 at 04:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Track Page Scroll plugin to the latest version or any version newer than 1.0.2. If no update is available, disable the plugin entirely. Apply defensive input validation and output escaping to any user‑supplied data processed by the plugin.
  • If upgrading or disabling is not immediately feasible, configure a web application firewall to block reflected XSS payloads targeting the plugin’s input parameters.
  • Deploy a Content Security Policy that limits script execution to trusted sources, reducing the impact of any reflected attack.

Generated by OpenCVE AI on May 2, 2026 at 04:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5709 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Track Page Scroll allows Reflected XSS. This issue affects Track Page Scroll: from n/a through 1.0.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Track Page Scroll allows Reflected XSS. This issue affects Track Page Scroll: from n/a through 1.0.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 Track Page Scroll track-page-scroll allows Reflected XSS.This issue affects Track Page Scroll: from n/a through <= 1.0.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Track Page Scroll allows Reflected XSS. This issue affects Track Page Scroll: from n/a through 1.0.2.
Title WordPress Track Page Scroll plugin <= 1.0.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:12.307Z

Reserved: 2025-01-16T11:25:56.884Z

Link: CVE-2025-23536

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:40.187

Modified: 2026-06-17T08:55:10.787

Link: CVE-2025-23536

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T04:15:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')