Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tahminajannat REDIRECTION PLUS redirection-plus allows Reflected XSS.This issue affects REDIRECTION PLUS: from n/a through <= 2.0.0.
Published: 2025-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an improper neutralization of input during web page generation (CWE‑79). A user‑supplied parameter is inserted into the page without adequate sanitization, allowing an attacker to inject JavaScript. When a crafted link is clicked, the malicious script runs in the victim’s browser, potentially enabling session hijacking, defacement, or delivery of further malicious content.

Affected Systems

The vulnerability exists in the REDIRECTION PLUS plugin for WordPress, supplied by the vendor tahminajannat. Versions from the initial release through 2.0.0 are affected. Any WordPress site that has the plugin installed and is running a version in that range is susceptible.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, while the EPSS score of less than 1% shows a low but non‑zero exploitation probability. The flaw is not listed in the CISA KEV catalog, but attackers can exploit it remotely by embedding malicious payloads in the plugin’s redirection parameters. The attack requires the victim to click a crafted link, so the vulnerability is a reflected XSS that relies on user interaction.

Generated by OpenCVE AI on May 1, 2026 at 19:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade REDIRECTION PLUS to the newest available version (2.0.1 or later) that contains the XSS fix.
  • Review any custom redirection rules on the site and ensure they sanitize inputs or restrict to trusted URLs only.
  • If upgrading is delayed, add a web application firewall rule or equivalent filter that blocks or neutralizes JavaScript payloads in URL query strings used by the plugin’s redirect endpoint.

Generated by OpenCVE AI on May 1, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3339 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jannatqualitybacklinks.com REDIRECTION PLUS allows Reflected XSS. This issue affects REDIRECTION PLUS: from n/a through 2.0.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jannatqualitybacklinks.com REDIRECTION PLUS allows Reflected XSS. This issue affects REDIRECTION PLUS: from n/a through 2.0.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tahminajannat REDIRECTION PLUS redirection-plus allows Reflected XSS.This issue affects REDIRECTION PLUS: from n/a through <= 2.0.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 23 Jan 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Jan 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jannatqualitybacklinks.com REDIRECTION PLUS allows Reflected XSS. This issue affects REDIRECTION PLUS: from n/a through 2.0.0.
Title WordPress REDIRECTION PLUS plugin <= 2.0.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:02:47.043Z

Reserved: 2025-01-16T11:28:07.196Z

Link: CVE-2025-23681

cve-icon Vulnrichment

Updated: 2025-01-23T17:01:41.337Z

cve-icon NVD

Status : Deferred

Published: 2025-01-22T15:15:20.977

Modified: 2026-06-17T08:56:20.713

Link: CVE-2025-23681

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T19:45:24Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')