Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Umesh Ghimire Frontend Post Submission frontend-post-submission allows Reflected XSS.This issue affects Frontend Post Submission: from n/a through <= 1.0.
Published: 2025-03-26
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an improper neutralization of input during web page generation that allows a reflected cross‑site scripting (XSS) attack. Attackers can supply malicious code that is echoed back in the user’s browser, potentially enabling session hijacking, defacement, or cookie theft when a victim clicks a crafted link. This weakness matches CWE‑79.

Affected Systems

The vulnerability affects the WordPress Frontend Post Submission plugin by Umesh Ghimire, any release from the earliest available version through version 1.0. Authenticated or unauthenticated users that submit content via the frontend form are exposed unless the plugin is updated beyond 1.0.

Risk and Exploitability

The CVSS score of 7.1 places this in the high severity range. With an EPSS score of less than 1 %, the likelihood of exploitation is considered low at present, and the vulnerability is not listed in the CISA KEV catalog. The likely attack path involves a victim receiving a link that contains the malicious payload, an inference based on the nature of reflected XSS. No authentication or elevated privileges are required for exploitation.

Generated by OpenCVE AI on May 1, 2026 at 13:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Frontend Post Submission plugin to the latest available release, which removes the reflected XSS weakness
  • If immediate upgrade is infeasible, apply sanitization or escape logic to any user‑supplied content before rendering, or disable the submission form until the plugin is patched
  • Configure a robust Content Security Policy to mitigate the impact of any malicious scripts that might be injected

Generated by OpenCVE AI on May 1, 2026 at 13:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8190 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Frontend Post Submission allows Reflected XSS. This issue affects Frontend Post Submission: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Frontend Post Submission allows Reflected XSS. This issue affects Frontend Post Submission: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Umesh Ghimire Frontend Post Submission frontend-post-submission allows Reflected XSS.This issue affects Frontend Post Submission: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 26 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 26 Mar 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Frontend Post Submission allows Reflected XSS. This issue affects Frontend Post Submission: from n/a through 1.0.
Title WordPress Frontend Post Submission plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:15.816Z

Reserved: 2025-01-16T11:27:31.286Z

Link: CVE-2025-23638

cve-icon Vulnrichment

Updated: 2025-03-26T15:43:24.623Z

cve-icon NVD

Status : Deferred

Published: 2025-03-26T15:15:58.940

Modified: 2026-06-17T08:56:00.007

Link: CVE-2025-23638

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T13:30:17Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')