Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mauricio Urrego ChatGPT Open AI Images & Content for WooCommerce glasses-for-woocommerce allows Reflected XSS.This issue affects ChatGPT Open AI Images & Content for WooCommerce: from n/a through <= 2.2.0.
Published: 2025-03-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation (CWE‑79) that allows a reflected cross‑site scripting flaw in the WordPress plugin "ChatGPT Open AI Images & Content for WooCommerce". This flaw can be used to execute arbitrary JavaScript in the context of the visitor’s browser, facilitating phishing, cookie theft, or defacement. The flaw arises when the plugin echoes user‑controlled data without adequate escaping.

Affected Systems

The affected product is the ChatGPT Open AI Images & Content for WooCommerce plugin by Mauricio Urrego, all releases from the earliest available version through 2.2.0. Any site that has installed a version up to 2.2.0 is vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates high impact and medium attack complexity. The EPSS score of <1% implies a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Attackers can deliver malicious content via crafted web requests or URLs that trigger the vulnerable plugin, reflecting the payload back to unsuspecting users. The same flaw could be monetized through credential theft or malicious redirects if actively exploited.

Generated by OpenCVE AI on May 1, 2026 at 14:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of the ChatGPT Open AI Images & Content for WooCommerce plugin (version 2.3.0 or newer).
  • If an upgrade cannot be performed immediately, disable or uninstall the plugin to block the vulnerable code path.
  • Validate that all user input handled by the plugin is properly escaped or sanitized before rendering; review the plugin’s output routines for missing encoding.

Generated by OpenCVE AI on May 1, 2026 at 14:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5702 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound ChatGPT Open AI Images & Content for WooCommerce allows Reflected XSS. This issue affects ChatGPT Open AI Images & Content for WooCommerce: from n/a through 2.2.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound ChatGPT Open AI Images & Content for WooCommerce allows Reflected XSS. This issue affects ChatGPT Open AI Images & Content for WooCommerce: from n/a through 2.2.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mauricio Urrego ChatGPT Open AI Images & Content for WooCommerce glasses-for-woocommerce allows Reflected XSS.This issue affects ChatGPT Open AI Images & Content for WooCommerce: from n/a through <= 2.2.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound ChatGPT Open AI Images & Content for WooCommerce allows Reflected XSS. This issue affects ChatGPT Open AI Images & Content for WooCommerce: from n/a through 2.2.0.
Title WordPress ChatGPT Open AI Images & Content for WooCommerce plugin <= 2.2.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:16.246Z

Reserved: 2025-01-16T11:27:59.221Z

Link: CVE-2025-23668

cve-icon Vulnrichment

Updated: 2025-03-03T15:55:43.288Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:44.833

Modified: 2026-06-17T08:56:14.557

Link: CVE-2025-23668

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:45:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')