Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alessandro Benoit WpDevTool wpdevtool allows Reflected XSS.This issue affects WpDevTool: from n/a through <= 0.1.1.
Published: 2025-01-23
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is caused by improper neutralization of user input when the plugin generates a page, allowing an attacker to inject JavaScript that is reflected back to the user’s browser. A malicious link or form containing script code can be executed in the victim’s session, potentially leading to session hijacking, credential theft, or defacement of the site. The flaw does not provide server‑side execution but poses a significant threat to confidentiality, integrity, and availability of the web application and its visitors.

Affected Systems

WordPress sites that have the Alessandro Benoit WpDevTool plugin installed with a version of 0.1.1 or earlier are impacted.

Risk and Exploitability

The CVSS score of 7.1 classifies this as high severity, while the EPSS score of less than 1% shows exploit activity is currently low. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a web‑based attack vector and an end‑user interaction with a crafted page. Given the high CVSS, proactive patching is recommended to mitigate potential exploitation.

Generated by OpenCVE AI on May 1, 2026 at 19:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WpDevTool to a version newer than 0.1.1 (preferably the most recent release) to eliminate the reflected XSS flaw.
  • If an upgrade cannot be performed immediately, disable or uninstall the plugin to remove the attack surface.
  • As an interim measure, ensure that all data displayed by the plugin is properly escaped (e.g., using esc_html() or similar functions) and apply a web‑application firewall rule that blocks script injection payloads.

Generated by OpenCVE AI on May 1, 2026 at 19:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3293 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alessandro Benoit WpDevTool allows Reflected XSS. This issue affects WpDevTool: from n/a through 0.1.1.
History

Fri, 24 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alessandro Benoit WpDevTool allows Reflected XSS. This issue affects WpDevTool: from n/a through 0.1.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alessandro Benoit WpDevTool wpdevtool allows Reflected XSS.This issue affects WpDevTool: from n/a through <= 0.1.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 23 Jan 2025 15:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alessandro Benoit WpDevTool allows Reflected XSS. This issue affects WpDevTool: from n/a through 0.1.1.
Title WordPress WpDevTool plugin <= 0.1.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:14.719Z

Reserved: 2025-01-16T11:27:23.451Z

Link: CVE-2025-23624

cve-icon Vulnrichment

Updated: 2025-02-12T20:35:12.556Z

cve-icon NVD

Status : Deferred

Published: 2025-01-23T16:15:38.223

Modified: 2026-06-17T08:55:53.373

Link: CVE-2025-23624

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T19:15:24Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')