Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kvvaradha EmailPress emailpress allows Reflected XSS.This issue affects EmailPress: from n/a through <= 1.0.
Published: 2025-02-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation that allows an attacker to reflect malicious JavaScript onto web pages served by WordPress sites using EmailPress plugin version 1.0 or earlier. This vulnerability is identified as CWE‑79 Cross‑Site Scripting. The reflected XSS flaw would let an attacker execute arbitrary client‑side code in the context of the victim’s browser session, potentially stealing session cookies, defacing content, or performing further phishing attacks.

Affected Systems

WordPress sites that have the kvvaradha EmailPress plugin installed at version 1.0 or lower are impacted. No other versions or WordPress components are listed as affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present, and the vulnerability is not yet listed in the CISA KEV catalog. The attack vector is inferred to be web‑based, whereby an attacker crafts a malicious URL or inputs that trigger the plugin to echo back unsanitized data, allowing the reflected script to run in the user’s browser.

Generated by OpenCVE AI on May 2, 2026 at 09:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade EmailPress to version 1.1 or later when released.
  • If an upgrade is not immediately available, disable or uninstall the EmailPress plugin to stop the vulnerable code from executing.
  • Deploy a web application firewall configured to block common XSS payloads against the EmailPress endpoints.
  • Implement a strict Content Security Policy to restrict the execution of inline scripts.

Generated by OpenCVE AI on May 2, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3270 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound EmailPress allows Reflected XSS. This issue affects EmailPress: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound EmailPress allows Reflected XSS. This issue affects EmailPress: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kvvaradha EmailPress emailpress allows Reflected XSS.This issue affects EmailPress: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00035}

 epss

{'score': 0.00045}

Mon, 03 Feb 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound EmailPress allows Reflected XSS. This issue affects EmailPress: from n/a through 1.0.
Title WordPress EmailPress plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:14.203Z

Reserved: 2025-01-16T11:26:45.456Z

Link: CVE-2025-23593

cve-icon Vulnrichment

Updated: 2025-02-03T16:07:07.655Z

cve-icon NVD

Status : Deferred

Published: 2025-02-03T15:15:21.827

Modified: 2026-04-23T15:24:06.717

Link: CVE-2025-23593

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T09:30:20Z

Weaknesses