Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mind3dom Mind3doM RyeBread Widgets mind3dom-ryebread-widgets allows Reflected XSS.This issue affects Mind3doM RyeBread Widgets: from n/a through <= 1.0.
Published: 2025-01-23
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during page generation that results in reflected XSS. When a user follows a crafted URL containing malicious script, the script is executed in the victim’s browser. Based on the description, it is inferred that an attacker could use this to steal cookies, hijack sessions, deface the site, or deliver additional malware to the victim. The flaw is classified as CWE‑79 and allows an attacker to run arbitrary scripts with the victim’s privileges within the WordPress site.

Affected Systems

WordPress installations that use the Mind3doM RyeBread Widgets plugin from the initial release up to and including version 1.0. Any user who loads a page that renders the widget is potentially affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a high‑severity vulnerability. The EPSS score of less than 1% suggests that execution is unlikely at this time, and the flaw is not listed in CISA KEV, meaning no widespread public exploit is known. The likely attack vector is remote exploitation via a malicious URL that includes script content; no authentication is required, but the victim must click or visit the crafted link. The attacker can then execute arbitrary JavaScript in the victim’s browser context.

Generated by OpenCVE AI on May 2, 2026 at 05:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mind3doM RyeBread Widgets to a version newer than 1.0 or uninstall the plugin if no update is available.
  • Disable or remove any widgets, shortcodes, or features that invoke the vulnerable code path until a patch is applied.
  • Apply a Web Application Firewall or security plugin that blocks reflected XSS patterns and enforce a strict content‑security‑policy to prevent script execution on the site.

Generated by OpenCVE AI on May 2, 2026 at 05:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3370 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Mind3doM RyeBread Widgets allows Reflected XSS. This issue affects Mind3doM RyeBread Widgets: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Mind3doM RyeBread Widgets allows Reflected XSS. This issue affects Mind3doM RyeBread Widgets: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mind3dom Mind3doM RyeBread Widgets mind3dom-ryebread-widgets allows Reflected XSS.This issue affects Mind3doM RyeBread Widgets: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Jan 2025 15:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Mind3doM RyeBread Widgets allows Reflected XSS. This issue affects Mind3doM RyeBread Widgets: from n/a through 1.0.
Title WordPress Mind3doM RyeBread Widgets plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:09:18.610Z

Reserved: 2025-01-16T11:28:53.181Z

Link: CVE-2025-23722

cve-icon Vulnrichment

Updated: 2025-02-12T20:34:55.815Z

cve-icon NVD

Status : Deferred

Published: 2025-01-23T16:15:39.117

Modified: 2026-06-17T08:56:40.603

Link: CVE-2025-23722

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T05:45:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')