Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Md Imranur Rahman LocalGrid localgrid allows Reflected XSS.This issue affects LocalGrid: from n/a through <= 1.0.1.
Published: 2025-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Md Imranur Rahman LocalGrid plugin contains an improper neutralization of input during web page generation, allowing attackers to inject malicious scripts that execute in the browsers of site visitors. This reflected XSS flaw means that a crafted request can embed arbitrary JavaScript, potentially leading to defacement, credential theft, or drive‑by malware infections for anyone who follows a vulnerable link or accesses a tampered form. The vulnerability is a classic CWE‑79 weakness where input is reflected without sufficient validation or output encoding.

Affected Systems

WordPress sites that have installed the LocalGrid plugin, with any version up to and including 1.0.1. No specific versions beyond 1.0.1 are listed as affected, and newer releases are presumed to have applied the fix.

Risk and Exploitability

The CVSS score is 7.1, indicating a high severity. The EPSS score of less than 1% shows that, although possible, the likelihood of exploitation in the wild is currently low. The vulnerability is not listed in the CISA KEV catalog. Attacks would require a user to visit a maliciously crafted URL or interact with a manipulated form, so the vector is primarily local web input provided to the target WordPress site. With the flaw being a reflected XSS, any visitor to the site could be affected if they open the crafted payload.

Generated by OpenCVE AI on May 1, 2026 at 19:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LocalGrid to the latest version that contains the XSS fix (or at least version 1.0.2 if available).
  • Configure the plugin to use rigorous output encoding on all user‑supplied data, ensuring HTML or JavaScript is escaped before rendering.
  • Restrict administrative access and ensure only trusted personnel can modify plugin configurations or input fields.

Generated by OpenCVE AI on May 1, 2026 at 19:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3337 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound LocalGrid allows Reflected XSS. This issue affects LocalGrid: from n/a through 1.0.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound LocalGrid allows Reflected XSS. This issue affects LocalGrid: from n/a through 1.0.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Md Imranur Rahman LocalGrid localgrid allows Reflected XSS.This issue affects LocalGrid: from n/a through <= 1.0.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 23 Jan 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Jan 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound LocalGrid allows Reflected XSS. This issue affects LocalGrid: from n/a through 1.0.1.
Title WordPress LocalGrid plugin <= 1.0.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:03:58.087Z

Reserved: 2025-01-16T11:28:07.195Z

Link: CVE-2025-23678

cve-icon Vulnrichment

Updated: 2025-01-23T17:02:55.499Z

cve-icon NVD

Status : Deferred

Published: 2025-01-22T15:15:20.703

Modified: 2026-06-17T08:56:19.303

Link: CVE-2025-23678

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T19:45:24Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')