Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in franciscopalacios Easy Filtering easy-filtering allows Reflected XSS.This issue affects Easy Filtering: from n/a through <= 2.5.0.
Published: 2025-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation in the Easy Filtering plugin allows an attacker to inject arbitrary HTML or JavaScript that is reflected back to the user's browser. The flaw exists in all releases of the plugin up to and including version 2.5.0, due to the plugin’s failure to properly encode or sanitize user–supplied query parameters before rendering them.

Affected Systems

The vulnerability affects franciscopalacios Easy Filtering installations on WordPress. All versions from the earliest available through 2.5.0 are vulnerable, so any WordPress site that has the plugin installed and has not upgraded beyond 2.5.0 is exposed.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate‑to‑high impact, while the EPSS score of less than 1% suggests current exploitation opportunities are scarce. The flaw is not listed in the CISA KEV catalog. The likely attack vector is a malicious URL or form containing the payload, inferred from the reflected XSS nature of the flaw; no authentication or special privileges are required. The overall risk is medium, but timely remediation is recommended.

Generated by OpenCVE AI on May 2, 2026 at 05:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Easy Filtering plugin to a version newer than 2.5.0 as soon as an update becomes available.
  • If an upgrade is not immediately possible, disable or uninstall the plugin until a fix is released.
  • Enforce input validation and output encoding on the site, or implement a strong content security policy to mitigate the impact of any remaining reflected XSS vectors.

Generated by OpenCVE AI on May 2, 2026 at 05:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3377 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Easy Filtering allows Reflected XSS. This issue affects Easy Filtering: from n/a through 2.5.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Easy Filtering allows Reflected XSS. This issue affects Easy Filtering: from n/a through 2.5.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in franciscopalacios Easy Filtering easy-filtering allows Reflected XSS.This issue affects Easy Filtering: from n/a through <= 2.5.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 22 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Jan 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Easy Filtering allows Reflected XSS. This issue affects Easy Filtering: from n/a through 2.5.0.
Title WordPress Easy Filtering plugin <= 2.5.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:06:07.255Z

Reserved: 2025-01-16T11:29:21.049Z

Link: CVE-2025-23732

cve-icon Vulnrichment

Updated: 2025-01-22T16:16:05.012Z

cve-icon NVD

Status : Deferred

Published: 2025-01-22T15:15:22.640

Modified: 2026-06-17T08:56:45.867

Link: CVE-2025-23732

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T05:45:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')