Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ulrich Sossou The Loops the-loops allows Reflected XSS.This issue affects The Loops: from n/a through <= 1.0.2.
Published: 2025-01-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Loops plugin contains an improper neutralization of input during web page generation which can be exploited to inject malicious scripts via a reflected cross‑site scripting mechanism. This flaw allows an attacker to embed executable JavaScript in a URL that is returned unfiltered in the page response, potentially compromising user credentials, session tokens and allowing defacement or redirection.

Affected Systems

The vulnerability applies to the WordPress plugin The Loops, version 1.0.2 and earlier, developed by Ulrich Sossou. Specific affected installations are those running any version equal to or lower than 1.0.2; versions newer than 1.0.2 are not impacted.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. The EPSS score is below 1%, suggesting a low but non‑zero exploitation probability at this time. The issue is not listed in the CISA KEV catalog. Because the flaw is triggered by user‑controlled input reflected back to the browser, the most likely attack vector involves an attacker crafting a malicious link, sending it to a victim, and the victim clicking it while authenticated or while the site is publicly accessible. An attacker could then hijack sessions or deface the site.

Generated by OpenCVE AI on May 1, 2026 at 18:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Loops plugin to the latest version available (greater than 1.0.2).
  • If an update is not immediately available, temporarily disable or remove the plugin until a patched version is released.
  • Apply a web application firewall rule that blocks common XSS payloads on page output, and ensure that any user‑supplied data is properly sanitized and encoded before rendering.

Generated by OpenCVE AI on May 1, 2026 at 18:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3391 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ulrich Sossou The Loops allows Reflected XSS. This issue affects The Loops: from n/a through 1.0.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ulrich Sossou The Loops allows Reflected XSS. This issue affects The Loops: from n/a through 1.0.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ulrich Sossou The Loops the-loops allows Reflected XSS.This issue affects The Loops: from n/a through <= 1.0.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 27 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Jan 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ulrich Sossou The Loops allows Reflected XSS. This issue affects The Loops: from n/a through 1.0.2.
Title WordPress The Loops plugin <= 1.0.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:22:30.495Z

Reserved: 2025-01-16T11:29:46.482Z

Link: CVE-2025-23754

cve-icon Vulnrichment

Updated: 2025-01-27T15:28:18.252Z

cve-icon NVD

Status : Deferred

Published: 2025-01-27T15:15:12.727

Modified: 2026-06-17T08:56:56.387

Link: CVE-2025-23754

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T18:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')