Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dezdy.com Dezdy dezdy-mcommerce allows Reflected XSS.This issue affects Dezdy: from n/a through <= 1.0.
Published: 2025-02-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Dezdy plugin for WordPress contains an improper neutralization of input during web page generation that permits reflected cross‑site scripting. An attacker can inject malicious script into the browser of any user who visits a crafted URL or form handled by the plugin. The vulnerability enables the attacker to steal session cookies, deface the site, or redirect users, compromising both confidentiality and integrity of user data.

Affected Systems

Vendors affected are Dezdy.com, specifically the Dezdy WordPress plugin version 1.0 and earlier. Any WordPress installation that has the Dezdy plugin (dezdy‑mcommerce) installed with a version number <= 1.0 is vulnerable. No other versions are listed.

Risk and Exploitability

The CVSS score of 7.1 classifies it as high severity. The EPSS score is less than 1 %, indicating a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attack vector is remote, via a reflected XSS payload that does not require authentication. The exploit requires the victim to load a page or click a link processed by the plugin, making social engineering a likely prerequisite.

Generated by OpenCVE AI on May 1, 2026 at 17:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Dezdy plugin to the latest release that is newer than v1.0, ensuring the neutralization fix is applied.
  • If an upgrade is not immediately possible, deactivate or uninstall the Dezdy plugin to eliminate the attack surface.
  • Implement a Content Security Policy or set the proper HTTP headers to restrict the execution of inline scripts and mitigate any remaining reflected XSS risk.

Generated by OpenCVE AI on May 1, 2026 at 17:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3267 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Burtay Arat Dezdy allows Reflected XSS. This issue affects Dezdy: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Burtay Arat Dezdy allows Reflected XSS. This issue affects Dezdy: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dezdy.com Dezdy dezdy-mcommerce allows Reflected XSS.This issue affects Dezdy: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00035}

 epss

{'score': 0.00045}

Tue, 04 Feb 2025 08:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Burtay Arat Dezdy allows Reflected XSS. This issue affects Dezdy: from n/a through 1.0.
Title WordPress Dezdy plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:14.177Z

Reserved: 2025-01-16T11:26:37.847Z

Link: CVE-2025-23590

cve-icon Vulnrichment

Updated: 2025-02-03T16:07:12.644Z

cve-icon NVD

Status : Deferred

Published: 2025-02-03T15:15:21.530

Modified: 2026-06-17T08:55:36.917

Link: CVE-2025-23590

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T18:00:09Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')