Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in milordk Jet Skinner for BuddyPress jet-skinner-for-buddypress allows Reflected XSS.This issue affects Jet Skinner for BuddyPress: from n/a through <= 1.2.5.
Published: 2025-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Jet Skinner for BuddyPress plugin contains a flaw where user input is reflected back to the browser without proper sanitization, allowing an attacker to inject and execute arbitrary JavaScript code in the victim’s session. This reflected XSS weakness (CWE‑79) can enable session hijacking, credential theft, or web page defacement while the user interacts with the vulnerable site. The impact is restricted to the individual who accesses a malicious URL or form and does not provide a direct path to system compromise.

Affected Systems

WordPress installations that have the milordk Jet Skinner for BuddyPress plugin version 1.2.5 or earlier are affected. Any site running the plugin within this version range is potentially vulnerable; no further build or configuration details are supplied.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity risk, but the EPSS rating of less than 1 % suggests that exploit attempts are rare at present, and the vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is the delivery of a crafted URL or form payload that includes malicious script content, inferred from the description of the reflected XSS issue. Proper sanitization of user input or the availability of an updated plugin would mitigate this risk.

Generated by OpenCVE AI on May 2, 2026 at 05:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Jet Skinner for BuddyPress plugin release that removes the XSS flaw
  • Configure a web application firewall or security plugin to block JavaScript payloads in incoming requests
  • Review and sanitize any custom code that feeds data into the plugin’s input fields

Generated by OpenCVE AI on May 2, 2026 at 05:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3360 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Jet Skinner for BuddyPress allows Reflected XSS. This issue affects Jet Skinner for BuddyPress: from n/a through 1.2.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Jet Skinner for BuddyPress allows Reflected XSS. This issue affects Jet Skinner for BuddyPress: from n/a through 1.2.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in milordk Jet Skinner for BuddyPress jet-skinner-for-buddypress allows Reflected XSS.This issue affects Jet Skinner for BuddyPress: from n/a through <= 1.2.5.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 22 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Jan 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Jet Skinner for BuddyPress allows Reflected XSS. This issue affects Jet Skinner for BuddyPress: from n/a through 1.2.5.
Title WordPress Jet Skinner for BuddyPress plugin <= 1.2.5 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:17.723Z

Reserved: 2025-01-16T11:28:31.296Z

Link: CVE-2025-23706

cve-icon Vulnrichment

Updated: 2025-01-22T16:16:07.868Z

cve-icon NVD

Status : Deferred

Published: 2025-01-22T15:15:22.387

Modified: 2026-06-17T08:56:32.990

Link: CVE-2025-23706

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T05:45:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')