Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pshikli Accessibility Task Manager accessibility-task-manager allows Reflected XSS.This issue affects Accessibility Task Manager: from n/a through <= 1.2.1.
Published: 2025-01-23
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Accessibility Task Manager plugin up to version 1.2.1 fails to escape user input before rendering it into a web page, creating a reflected XSS flaw under CWE‑79. When an attacker supplies malicious data that is subsequently reflected in the page, arbitrary JavaScript may run in the victim’s browser, enabling session hijacking, defacement, or the execution of further harmful actions.

Affected Systems

Any WordPress site that installs the pshikli Accessibility Task Manager plugin at version 1.2.1 or earlier is vulnerable. Sites that use the plugin at a later version or omit the plugin altogether are not affected.

Risk and Exploitability

The CVSS score of 7.1 denotes high severity, while the EPSS score of less than 1 % indicates that exploitation is currently uncommon. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack vector involves an attacker crafting a URL or form payload that reaches the plugin’s vulnerable output route, allowing the malicious input to be reflected back to any visitor or logged‑in user. Exploitation does not require privileged access beyond the ability to send the crafted request, so any user exposed to the vulnerable plugin’s pages remains at risk until the plugin is upgraded or removed.

Generated by OpenCVE AI on May 2, 2026 at 05:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Accessibility Task Manager plugin to a version newer than 1.2.1.
  • Remove any legacy copies of the plugin that may still reside on the site to eliminate alternate entry points.
  • If an update cannot be performed immediately, deactivate or uninstall the plugin until a patched version is available.

Generated by OpenCVE AI on May 2, 2026 at 05:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3373 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TaskMeister Accessibility Task Manager allows Reflected XSS. This issue affects Accessibility Task Manager: from n/a through 1.2.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TaskMeister Accessibility Task Manager allows Reflected XSS. This issue affects Accessibility Task Manager: from n/a through 1.2.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pshikli Accessibility Task Manager accessibility-task-manager allows Reflected XSS.This issue affects Accessibility Task Manager: from n/a through <= 1.2.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 12 Feb 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Jan 2025 15:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TaskMeister Accessibility Task Manager allows Reflected XSS. This issue affects Accessibility Task Manager: from n/a through 1.2.1.
Title WordPress Accessibility Task Manager plugin <= 1.2.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:10:53.616Z

Reserved: 2025-01-16T11:28:53.181Z

Link: CVE-2025-23725

cve-icon Vulnrichment

Updated: 2025-02-12T20:34:33.663Z

cve-icon NVD

Status : Deferred

Published: 2025-01-23T16:15:39.530

Modified: 2026-06-17T08:56:42.080

Link: CVE-2025-23725

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T05:45:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')