Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in inwavethemes InFunding infunding allows Reflected XSS.This issue affects InFunding: from n/a through <= 1.0.
Published: 2025-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can embed malicious scripts that are reflected back into the HTTP response by entering specially crafted input through the InFunding plugin’s parameters. The payload is executed in the victim’s browser when the URL is visited, enabling cookie theft, session hijacking, defacement, or other client‑side attacks. The CVSS score of 7.1 indicates high severity and the vulnerability is exploitable without authentication or elevated privileges.

Affected Systems

The InFunding plugin by inwavethemes, version 1.0 and earlier is affected. No specific sub‑versions are listed, so all releases through 1.0 are impacted.

Risk and Exploitability

The plugin’s input fields are exposed to the web front‑end, making the attack vector website‑directed and easily reachable via phishing or social‑engineering. Although the EPSS score is below 1%—suggesting a low exploitation probability at present—the vulnerability’s high severity and the commonality of XSS exploitation mean an attacker could still achieve user compromise if this issue is publicized. The vulnerability is not listed in the CISA KEV catalog, but its impact remains significant.

Generated by OpenCVE AI on May 1, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the InFunding plugin to a version newer than 1.0, if a patched release is available.
  • If an updated release cannot be obtained, remove or disable the plugin to stop the exposed input vector.
  • Apply standard WordPress hardening practices—such as limiting user permissions, regularly scanning for malware, and validating user input—to reduce the risk of similar XSS flaws in future plugins.

Generated by OpenCVE AI on May 1, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3402 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound InFunding allows Reflected XSS. This issue affects InFunding: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound InFunding allows Reflected XSS. This issue affects InFunding: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in inwavethemes InFunding infunding allows Reflected XSS.This issue affects InFunding: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 22 Jan 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Jan 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound InFunding allows Reflected XSS. This issue affects InFunding: from n/a through 1.0.
Title WordPress InFunding plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:04:57.234Z

Reserved: 2025-01-16T11:29:57.541Z

Link: CVE-2025-23768

cve-icon Vulnrichment

Updated: 2025-01-22T15:09:29.899Z

cve-icon NVD

Status : Deferred

Published: 2025-01-22T15:15:23.040

Modified: 2026-06-17T08:57:03.047

Link: CVE-2025-23768

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T19:30:23Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')