Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ivanchernyakov LawPress – Law Firm Website Management lawpress allows Reflected XSS.This issue affects LawPress – Law Firm Website Management: from n/a through <= 1.4.5.
Published: 2025-01-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of user input during web page generation in the LawPress plugin up to version 1.4.5. When a reflected input value is rendered without proper escaping, an attacker can inject arbitrary JavaScript into the page that is then executed in the context of any visitor who loads the crafted URL. This enables attackers to steal session cookies, deface content, or perform further exploitation on the victim’s browser.

Affected Systems

The affected product is the LawPress – Law Firm Website Management plugin provided by ivanchernyakov. Versions from the earliest available release through version 1.4.5 are impacted. Any WordPress site that has installed one of these versions without a later version is vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high severity, while the EPSS score of less than 1% suggests that the probability of exploitation is low at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to supply a malicious input parameter to a publicly reachable page. The likely attack vector is a crafted HTTP request that includes the injected script in a query string or form field that the plugin echoes back in the response.

Generated by OpenCVE AI on May 2, 2026 at 05:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LawPress plugin to a version newer than 1.4.5.
  • If an upgrade cannot be performed immediately, temporarily block access to the plugin’s front‑end endpoints that echo user input or configure the Web Application Firewall to drop requests containing suspicious script tags.
  • Configure a Content Security Policy that disallows inline scripts and restricts JavaScript execution to trusted sources, and ensure that all user-supplied data is properly escaped before rendering to mitigate potential residual risk.

Generated by OpenCVE AI on May 2, 2026 at 05:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3393 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ivan Chernyakov LawPress – Law Firm Website Management allows Reflected XSS. This issue affects LawPress – Law Firm Website Management: from n/a through 1.4.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ivan Chernyakov LawPress – Law Firm Website Management allows Reflected XSS. This issue affects LawPress – Law Firm Website Management: from n/a through 1.4.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ivanchernyakov LawPress – Law Firm Website Management lawpress allows Reflected XSS.This issue affects LawPress – Law Firm Website Management: from n/a through <= 1.4.5.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 27 Jan 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Jan 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ivan Chernyakov LawPress – Law Firm Website Management allows Reflected XSS. This issue affects LawPress – Law Firm Website Management: from n/a through 1.4.5.
Title WordPress LawPress plugin <= 1.4.5 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:22:18.546Z

Reserved: 2025-01-16T11:29:46.483Z

Link: CVE-2025-23756

cve-icon Vulnrichment

Updated: 2025-01-27T15:03:46.490Z

cve-icon NVD

Status : Deferred

Published: 2025-01-27T15:15:12.877

Modified: 2026-06-17T08:56:57.347

Link: CVE-2025-23756

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T05:15:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')