Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Robert D Payne RDP inGroups+ rdp-ingroups allows Reflected XSS.This issue affects RDP inGroups+: from n/a through <= 1.0.6.
Published: 2025-03-26
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper neutralization of input during web page generation. As a result, malicious input can be reflected back into a page, allowing an attacker to inject and execute JavaScript in a victim’s browser. This facilitates theft of session cookies, defacement of the site, and other client‑side attacks typical of reflected XSS flaws.

Affected Systems

WordPress sites that have the Robert D Payne "RDP inGroups+" plugin installed at version 1.0.6 or earlier are affected. No other products or versions are listed as vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate severity. The EPSS score of less than 1% reflects a low likelihood of exploitation in the wild, and the vulnerability is not currently catalogued in the CISA KEV list. Attackers can trigger the flaw by supplying crafted input or URLs that are processed by the plugin, leading to reflected XSS in the user’s browser.

Generated by OpenCVE AI on May 1, 2026 at 13:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the RDP inGroups+ plugin to a version newer than 1.0.6.
  • If an upgrade is not immediately possible, disable or remove the plugin from the WordPress installation.
  • Configure a web application firewall or content security policy to block reflected scripts and mitigate the impact until a patch is applied.

Generated by OpenCVE AI on May 1, 2026 at 13:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8194 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound RDP inGroups+ allows Reflected XSS. This issue affects RDP inGroups+: from n/a through 1.0.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound RDP inGroups+ allows Reflected XSS. This issue affects RDP inGroups+: from n/a through 1.0.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Robert D Payne RDP inGroups+ rdp-ingroups allows Reflected XSS.This issue affects RDP inGroups+: from n/a through <= 1.0.6.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 26 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 26 Mar 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound RDP inGroups+ allows Reflected XSS. This issue affects RDP inGroups+: from n/a through 1.0.6.
Title WordPress RDP inGroups+ plugin <= 1.0.6 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:12.733Z

Reserved: 2025-01-16T11:26:05.062Z

Link: CVE-2025-23546

cve-icon Vulnrichment

Updated: 2025-03-26T15:44:59.895Z

cve-icon NVD

Status : Deferred

Published: 2025-03-26T15:15:57.993

Modified: 2026-06-17T08:55:15.537

Link: CVE-2025-23546

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T13:30:17Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')