Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in montashov 4 author cheer up donate 4-author-cheer-up-donate allows Reflected XSS.This issue affects 4 author cheer up donate: from n/a through <= 1.3.
Published: 2025-03-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected Cross‑Site Scripting flaw caused by improper neutralization of user supplied input during page generation in the 4‑author‑cheer‑up‑donate plugin. An attacker can supply malicious data that the plugin echoes back in a response page, allowing execution of arbitrary JavaScript in the victim's browser. This can lead to cookie theft, session hijacking, defacement or other malicious actions, as detailed by CWE‑79.

Affected Systems

The issue affects the WordPress plugin 4‑author‑cheer‑up‑donate developed by montashov, in all released versions from the beginning of the series up to and including version 1.3.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high severity. The EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is currently very low, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, the typical attack vector involves a crafted URL or form input that the plugin reflects, and any website that uses the vulnerable plugin is at risk if users visit such a request.

Generated by OpenCVE AI on May 1, 2026 at 14:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the 4‑author‑cheer‑up‑donate plugin to a version newer than 1.3 or to a currently supported release.
  • If an upgrade is not immediately possible, sanitise all user input handled by the plugin or replace the vulnerable code with a secure implementation that properly encodes output.
  • Deploy a Content‑Security‑Policy that restricts execution of inline scripts, mitigating the impact of any remaining reflected XSS payloads.

Generated by OpenCVE AI on May 1, 2026 at 14:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5703 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound 4 author cheer up donate allows Reflected XSS. This issue affects 4 author cheer up donate: from n/a through 1.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound 4 author cheer up donate allows Reflected XSS. This issue affects 4 author cheer up donate: from n/a through 1.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in montashov 4 author cheer up donate 4-author-cheer-up-donate allows Reflected XSS.This issue affects 4 author cheer up donate: from n/a through <= 1.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 04 Mar 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound 4 author cheer up donate allows Reflected XSS. This issue affects 4 author cheer up donate: from n/a through 1.3.
Title WordPress 4 author cheer up donate plugin <= 1.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:16.617Z

Reserved: 2025-01-16T11:27:59.221Z

Link: CVE-2025-23670

cve-icon Vulnrichment

Updated: 2025-03-04T21:47:08.870Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:44.970

Modified: 2026-06-17T08:56:15.500

Link: CVE-2025-23670

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:45:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')