Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fxy060608 新淘客WordPress插件 wp-xintaoke allows Reflected XSS.This issue affects 新淘客WordPress插件: from n/a through <= 1.1.2.
Published: 2025-03-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, allowing an attacker to inject arbitrary scripts into pages that are served to users. This reflected XSS flaw arises in the fxy060608 新淘客WordPress插件 (wp‑xintaoke) when it processes unsanitized query parameters. An attacker can trigger the vulnerability by crafting a URL that contains malicious payloads, which the plugin then echoes back into the page. Because the script runs in the victim's browser, an attacker could steal session cookies, perform phishing, or load additional malicious content on the site.

Affected Systems

Affected systems consist of the fxy060608 新淘客WordPress插件 WordPress plugin, versions from the initial release through <= 1.1.2. Any WordPress installation that has this plugin enabled and is running one of those versions is vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium-to-high impact. The EPSS score of < 1% suggests currently low likelihood of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalogue, implying no confirmed or widely known active exploits. The likely attack vector is an attacker hosting a crafted URL or embedding malicious links on third‑party sites, targeting users who click and load the reflected content within the vulnerable plugin.

Generated by OpenCVE AI on May 1, 2026 at 14:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the 新淘客WordPress插件 to the latest version where the XSS issue is resolved.
  • If an update is not yet available, disable or remove the plugin until a patch is released.
  • Implement input sanitization or a web application firewall rule to block reflected XSS scripts targeting the plugin’s query parameters.

Generated by OpenCVE AI on May 1, 2026 at 14:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5705 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound 新淘客WordPress插件 allows Reflected XSS. This issue affects 新淘客WordPress插件: from n/a through 1.1.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound 新淘客WordPress插件 allows Reflected XSS. This issue affects 新淘客WordPress插件: from n/a through 1.1.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fxy060608 新淘客WordPress插件 wp-xintaoke allows Reflected XSS.This issue affects 新淘客WordPress插件: from n/a through <= 1.1.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound 新淘客WordPress插件 allows Reflected XSS. This issue affects 新淘客WordPress插件: from n/a through 1.1.2.
Title WordPress 新淘客WordPress插件 plugin <= 1.1.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:15.149Z

Reserved: 2025-01-16T11:27:31.286Z

Link: CVE-2025-23637

cve-icon Vulnrichment

Updated: 2025-03-03T15:55:48.226Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:44.553

Modified: 2026-04-23T15:24:11.860

Link: CVE-2025-23637

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:45:16Z

Weaknesses