Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Clifton Griffin CGD Arrange Terms shopp-arrange allows Reflected XSS.This issue affects CGD Arrange Terms: from n/a through <= 1.1.3.
Published: 2025-01-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An input validation flaw in Clifton Griffin CGD Arrange Terms plugin lets attackers inject malicious scripts that are reflected back to the victim’s browser. The vulnerability, classified as CWE‑79, could be used to hijack user sessions, deface content, or exfiltrate confidential data. A successful exploit requires only that the attacker contends a crafted request through a URL or form and that the victim views or interacts with the response.

Affected Systems

Affected is the CGD Arrange Terms WordPress plugin version 1.1.3 and older. Site owners running this plugin on any WordPress environment are vulnerable. No specific operating system or WordPress core version is singled out by the advisory.

Risk and Exploitability

With a CVSS score of 7.1 the issue falls into the high severity range. The EPSS score is below 1 %, indicating that exploitation is expected to be rare at the moment, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, because the flaw is reflected XSS, an attacker can easily target any logged‑in user by sending a link or embedding it in a malicious email. Based on the description, the likely attack vector is the web interface, and no local privilege escalation or remote code execution is required.

Generated by OpenCVE AI on May 2, 2026 at 05:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CGD Arrange Terms plugin to the latest release that contains the fix
  • If an update is not yet available, deactivate the plugin or remove it from the live site
  • Apply a web application firewall rule that blocks common XSS payloads or enforce a Content Security Policy that limits inline script execution
  • Ensure that any custom forms exposed by the plugin escape output using WordPress functions

Generated by OpenCVE AI on May 2, 2026 at 05:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3390 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound CGD Arrange Terms allows Reflected XSS. This issue affects CGD Arrange Terms: from n/a through 1.1.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound CGD Arrange Terms allows Reflected XSS. This issue affects CGD Arrange Terms: from n/a through 1.1.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Clifton Griffin CGD Arrange Terms shopp-arrange allows Reflected XSS.This issue affects CGD Arrange Terms: from n/a through <= 1.1.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 27 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Jan 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound CGD Arrange Terms allows Reflected XSS. This issue affects CGD Arrange Terms: from n/a through 1.1.3.
Title WordPress CGD Arrange Terms plugin <= 1.1.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:21:53.911Z

Reserved: 2025-01-16T11:29:46.482Z

Link: CVE-2025-23752

cve-icon Vulnrichment

Updated: 2025-01-27T15:28:38.479Z

cve-icon NVD

Status : Deferred

Published: 2025-01-27T15:15:12.570

Modified: 2026-06-17T08:56:55.433

Link: CVE-2025-23752

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T05:15:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')