Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in razvypp Tidy.ro tidyro allows Reflected XSS.This issue affects Tidy.ro: from n/a through <= 1.3.
Published: 2025-02-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Tidy.ro plugin for WordPress fails to properly neutralize user‑supplied input when rendering web pages, allowing a malicious script to be injected into the page that the requesting user views. This reflected XSS flaw lets an attacker deliver and execute arbitrary JavaScript in the victim’s browser, potentially stealing session cookies, manipulating the page content, or redirecting the user to phishing sites.

Affected Systems

Any WordPress installation that includes the Tidy.ro plugin version 1.3 or earlier is vulnerable. The issue applies to all releases from the first available version up through 1.3. "Affected Systems": All WordPress sites running Tidy.ro <= 1.3 regardless of active themes or other plugins.

Risk and Exploitability

The CVSS score of 7.1 places this flaw in the high severity range. The EPSS score of less than 1% indicates that exploitation is expected to be uncommon at the time of assessment, and the vulnerability is not listed in CISA’s KEV catalogue. The likely attack vector is client‑side, where an attacker can craft a malicious link containing the vulnerable input and entice a user to click it. No privileged access or server‑side code execution is required, but the risk remains significant for users who may interact with such links.

Generated by OpenCVE AI on May 2, 2026 at 04:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Tidy.ro to the latest version that removes the reflected XSS flaw.
  • If an update is not feasible, deactivate or uninstall the plugin from the WordPress installation to eliminate the vulnerability surface.
  • Configure a strong Content Security Policy that disallows unsafe script execution, and ensure that any remaining user input is properly encoded before rendering.

Generated by OpenCVE AI on May 2, 2026 at 04:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3314 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in razvypp Tidy.ro allows Reflected XSS. This issue affects Tidy.ro: from n/a through 1.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in razvypp Tidy.ro allows Reflected XSS. This issue affects Tidy.ro: from n/a through 1.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in razvypp Tidy.ro tidyro allows Reflected XSS.This issue affects Tidy.ro: from n/a through <= 1.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00032}

 epss

{'score': 0.00035}

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00072}

 epss

{'score': 0.00032}

Fri, 14 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 14 Feb 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in razvypp Tidy.ro allows Reflected XSS. This issue affects Tidy.ro: from n/a through 1.3.
Title WordPress Tidy.ro plugin <= 1.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:35:56.499Z

Reserved: 2025-01-16T11:27:38.285Z

Link: CVE-2025-23650

cve-icon Vulnrichment

Updated: 2025-02-14T15:35:53.150Z

cve-icon NVD

Status : Deferred

Published: 2025-02-14T13:15:45.063

Modified: 2026-06-17T08:56:05.860

Link: CVE-2025-23650

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T04:45:34Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')