Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flx0 FLX Dashboard Groups flx-dashboard-groups allows Reflected XSS.This issue affects FLX Dashboard Groups: from n/a through <= 0.0.7.
Published: 2025-01-23
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of user‑supplied input during web page generation in the FLX Dashboard Groups plugin, allowing reflected XSS. When an attacker supplies specially crafted data that the server echoes back, malicious JavaScript can be executed in the victim’s browser. Based on the description, it is inferred that such execution could lead to session hijacking, credential theft, defacement or other client‑side compromise.

Affected Systems

WordPress installations running the FLX Dashboard Groups plugin version 0.0.7 or earlier are affected. Administrators should verify the installed plugin version and upgrade or remove the plugin if it is out of date.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact, yet the EPSS score of less than 1 % shows that exploitation likelihood is low and the vulnerability is not listed in CISA KEV. The likely attack vector is a crafted URL or form input that is reflected back to the user; the attacker can lure the target to a malicious link to trigger the XSS, which is inferred from standard XSS exploitation patterns.

Generated by OpenCVE AI on May 2, 2026 at 09:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FLX Dashboard Groups plugin to the latest version or remove it if no update exists.
  • Implement a web application firewall rule that filters or blocks requests containing script tags or suspicious query parameters.
  • Restrict access to the plugin’s configuration interfaces to administrators only and advise users to avoid clicking suspicious links that could trigger the reflected XSS.

Generated by OpenCVE AI on May 2, 2026 at 09:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3376 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound FLX Dashboard Groups allows Reflected XSS. This issue affects FLX Dashboard Groups: from n/a through 0.0.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound FLX Dashboard Groups allows Reflected XSS. This issue affects FLX Dashboard Groups: from n/a through 0.0.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flx0 FLX Dashboard Groups flx-dashboard-groups allows Reflected XSS.This issue affects FLX Dashboard Groups: from n/a through <= 0.0.7.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 12 Feb 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Jan 2025 15:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound FLX Dashboard Groups allows Reflected XSS. This issue affects FLX Dashboard Groups: from n/a through 0.0.7.
Title WordPress FLX Dashboard Groups plugin <= 0.0.7 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:10:06.709Z

Reserved: 2025-01-16T11:28:53.182Z

Link: CVE-2025-23730

cve-icon Vulnrichment

Updated: 2025-02-12T20:34:24.989Z

cve-icon NVD

Status : Deferred

Published: 2025-01-23T16:15:39.933

Modified: 2026-06-17T08:56:44.920

Link: CVE-2025-23730

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T09:45:36Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')