Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matamko En Masse en-masse-wp allows Reflected XSS.This issue affects En Masse: from n/a through <= 1.0.
Published: 2025-12-31
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Matamko En Masse plugin (versions up to 1.0) contains an improper neutralization of input during web page generation. This flaw allows an attacker to embed malicious script into a reflected response, which can be executed in the browser of any user who views the crafted page. The vulnerability is a classic client‑side injection identified as CWE‑79.

Affected Systems

The affected product is the WordPress En Masse plugin from the vendor Matamko, specifically versions from n/a through 1.0 inclusive. Any WordPress installation using these versions of the plugin is potentially vulnerable until the issue is resolved.

Risk and Exploitability

The CVSS score of 7.1 indicates a high risk for browsers that load the vulnerable pages. The reported EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. The exploit is inferred to be conducted via a crafted URL or input field that the plugin re‑displays without proper encoding, so attackers can target any user who follows a malicious link or visits a specifically constructed page.

Generated by OpenCVE AI on May 2, 2026 at 00:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the En Masse plugin to the latest version that removes the reflected XSS flaw.
  • If an update is not yet available, disable or uninstall the En Masse plugin to eliminate the attack surface.
  • Add or strengthen Content‑Security‑Policy directives to mitigate the impact of any remaining script injection attempts.

Generated by OpenCVE AI on May 2, 2026 at 00:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matamko En Masse allows Reflected XSS.This issue affects En Masse: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matamko En Masse en-masse-wp allows Reflected XSS.This issue affects En Masse: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 02 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 31 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matamko En Masse allows Reflected XSS.This issue affects En Masse: from n/a through 1.0.
Title WordPress En Masse plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:17.776Z

Reserved: 2025-01-16T11:28:31.297Z

Link: CVE-2025-23707

cve-icon Vulnrichment

Updated: 2026-01-02T19:32:24.035Z

cve-icon NVD

Status : Deferred

Published: 2025-12-31T20:15:41.630

Modified: 2026-06-17T08:56:33.460

Link: CVE-2025-23707

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:00:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')