Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webdeal Podčlánková inzerce podclankova-inzerce allows Reflected XSS.This issue affects Podčlánková inzerce: from n/a through <= 2.4.0.
Published: 2025-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input allows reflected Cross‑Site Scripting, enabling an attacker to inject and execute arbitrary JavaScript in the context of a victim’s browser. By exploiting this flaw, an attacker could execute malicious scripts that steal authentication cookies, deface the site, or redirect users to phishing pages, compromising confidentiality and potentially leading to broader compromise of the WordPress installation.

Affected Systems

webdeal's Podčlánková inzerce plugin for WordPress is affected. All releases from the earliest available version through version 2.4.0 are vulnerable. Sites using any of these versions are at risk.

Risk and Exploitability

The CVSS score of 7.1 highlights significant impact, while the EPSS score of less than 1% indicates that the likelihood of exploitation in the wild is currently low. The vulnerability is not listed in the CISA KEV catalog. The flaw is a reflected XSS, implying that the attack vector is a web‑based request, typically a crafted URL or form parameter that the plugin does not properly escape. An attacker who can lure a user to a maliciously constructed link on a WordPress site running the vulnerable plugin can inject script payloads that execute when the link is followed.

Generated by OpenCVE AI on May 1, 2026 at 19:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Podčlánková inzerce to a version newer than 2.4.0 once a patch is available.
  • If an upgrade is not possible, configure the plugin to escape or sanitize all user‑supplied input before output, or disable the feature that processes untrusted data.
  • Consider removing the vulnerable plugin altogether and replacing it with a trusted alternative.

Generated by OpenCVE AI on May 1, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3353 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebDeal s.r.o. Podčlánková inzerce allows Reflected XSS. This issue affects Podčlánková inzerce: from n/a through 2.4.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebDeal s.r.o. Podčlánková inzerce allows Reflected XSS. This issue affects Podčlánková inzerce: from n/a through 2.4.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webdeal Podčlánková inzerce podclankova-inzerce allows Reflected XSS.This issue affects Podčlánková inzerce: from n/a through <= 2.4.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 22 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Jan 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebDeal s.r.o. Podčlánková inzerce allows Reflected XSS. This issue affects Podčlánková inzerce: from n/a through 2.4.0.
Title WordPress Podčlánková inzerce plugin <= 2.4.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:17.208Z

Reserved: 2025-01-16T11:28:22.879Z

Link: CVE-2025-23697

cve-icon Vulnrichment

Updated: 2025-01-22T15:14:16.405Z

cve-icon NVD

Status : Deferred

Published: 2025-01-22T15:15:22.000

Modified: 2026-06-17T08:56:28.580

Link: CVE-2025-23697

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T19:45:24Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')