Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in patrice Tab My Content tab-my-content allows Reflected XSS.This issue affects Tab My Content: from n/a through <= 1.0.0.
Published: 2025-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability results from improper neutralization of user input during web page generation, enabling attackers to inject malicious JavaScript into pages served to visitors. A reflected XSS flaw allows harmful scripts to run in the victim’s browser, potentially leading to session hijacking, cookie theft, credential compromise, or site defacement.

Affected Systems

The flaw affects the WordPress Tab My Content plugin from patrice, versions up to and including 1.0.0. Administrators should verify that any sites running Tab My Content at version 1.0.0 or earlier are addressed.

Risk and Exploitability

The CVSS score of 7.1 indicates a high‑severity vulnerability that can be triggered without authentication. The EPSS score of less than 1% suggests a low probability of exploitation at present, and it is not listed in the CISA KEV catalog. Attacks are likely to be delivered via crafted URLs that submit unsanitized input to the plugin, making the incident possible from remote attackers using web browsers.

Generated by OpenCVE AI on May 1, 2026 at 19:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Tab My Content plugin to the latest release (≥1.0.1) or apply the vendor‐supplied patch that sanitizes user input.
  • If a patch is not yet available, temporarily deactivate or uninstall the plugin until a secure version is released.
  • Review any content rendered by the plugin and apply WordPress escaping functions (e.g., esc_html() or esc_js()) to all user‑supplied data before output.
  • Monitor site traffic for suspicious URL patterns or script injections and keep WordPress core, themes, and other plugins updated to reduce other injection vectors.

Generated by OpenCVE AI on May 1, 2026 at 19:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3276 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Tab My Content allows Reflected XSS. This issue affects Tab My Content: from n/a through 1.0.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Tab My Content allows Reflected XSS. This issue affects Tab My Content: from n/a through 1.0.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in patrice Tab My Content tab-my-content allows Reflected XSS.This issue affects Tab My Content: from n/a through <= 1.0.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 22 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Jan 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Tab My Content allows Reflected XSS. This issue affects Tab My Content: from n/a through 1.0.0.
Title WordPress Tab My Content plugin <= 1.0.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:14.201Z

Reserved: 2025-01-16T11:26:45.457Z

Link: CVE-2025-23601

cve-icon Vulnrichment

Updated: 2025-01-22T16:17:01.681Z

cve-icon NVD

Status : Deferred

Published: 2025-01-22T15:15:18.363

Modified: 2026-04-23T15:24:07.630

Link: CVE-2025-23601

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T20:00:13Z

Weaknesses