Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Helle1 Tagesteller tagesteller allows Reflected XSS.This issue affects Tagesteller: from n/a through <= v.1.1.
Published: 2025-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an Improper Neutralization of Input During Web Page Generation flaw that allows reflected XSS. A malicious user can embed script code in crafted request parameters that Tagesteller fails to sanitize, leading to the execution of arbitrary JavaScript in the browser of anyone who views the affected page. The impact is the compromise of the confidentiality, integrity, or availability of the user session, as well as potential credential theft or website defacement. The weakness is classified as CWE‑79.

Affected Systems

The affected product is the WordPress Tagesteller plugin from vendor Helle1. All installs from the first release through version 1.1 are vulnerable. No other versions are listed as affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity for an unauthenticated user. The EPSS score of <1% reflects a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely a reflected XSS, where a crafted URL or form input containing malicious script reaches the client browser, with no authentication required. The fact that the flaw exists in a widely used WordPress plugin means that a broad range of sites could be exposed if the plugin is unchanged.

Generated by OpenCVE AI on May 1, 2026 at 19:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Tagesteller plugin to a version that removes the XSS flaw.
  • If an updated version is not available, disable or uninstall the Tagesteller plugin to eliminate the vulnerable code path.
  • As a temporary safeguard, apply Web Application Firewall rules or XSS protection headers to block malicious script execution in output generated by Tagesteller, but note this does not replace the need for a plugin update.

Generated by OpenCVE AI on May 1, 2026 at 19:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3283 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Helmuth Lammer Tagesteller allows Reflected XSS. This issue affects Tagesteller: from n/a through v.1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Helmuth Lammer Tagesteller allows Reflected XSS. This issue affects Tagesteller: from n/a through v.1.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Helle1 Tagesteller tagesteller allows Reflected XSS.This issue affects Tagesteller: from n/a through <= v.1.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 22 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Jan 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Helmuth Lammer Tagesteller allows Reflected XSS. This issue affects Tagesteller: from n/a through v.1.1.
Title WordPress Tagesteller plugin <= v.1.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:14.461Z

Reserved: 2025-01-16T11:27:03.858Z

Link: CVE-2025-23609

cve-icon Vulnrichment

Updated: 2025-01-22T16:16:40.413Z

cve-icon NVD

Status : Deferred

Published: 2025-01-22T15:15:19.343

Modified: 2026-04-23T15:24:08.553

Link: CVE-2025-23609

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T19:45:24Z

Weaknesses