Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SuryaBhan Custom Coming Soon custom-coming-soon allows Reflected XSS.This issue affects Custom Coming Soon: from n/a through <= 2.2.
Published: 2025-01-23
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin fails to escape or validate user input that is reflected back into a generated web page. An attacker can supply malicious JavaScript in a request and cause that code to run in any victim’s browser. This can lead to credential theft, defacement, or execution of further malicious actions in the context of the victim’s logged‑in session. The weakness is a classic reflected XSS flaw (CWE‑79).

Affected Systems

WordPress sites that have the SuryaBhan Custom Coming Soon plugin installed in any version up to and including 2.2 are subject to this vulnerability. No other vendors or product families are listed as affected.

Risk and Exploitability

The vulnerability has a CVSS score of 7.1, indicating a medium severity. The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the issue is not catalogued in the CISA KEV list. The likely attack vector is a reflected XSS, where an attacker crafts a URL or form payload that includes malicious script, which the vulnerable plugin then echoes back into the response without proper encoding. Only a user who loads the crafted page in a browser would be affected, so the scope is limited to client‑side compromise.

Generated by OpenCVE AI on May 1, 2026 at 19:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SuryaBhan Custom Coming Soon plugin to version 2.3 or later, or uninstall the plugin if it is no longer required.
  • If immediate upgrade is not possible, disable the plugin and remove it from the WordPress installation until a safe version is available.
  • Apply a site‑wide Content‑Security‑Policy header that blocks inline scripts (for example, script‑src 'self') to mitigate the impact of reflected XSS until the plugin is fixed.

Generated by OpenCVE AI on May 1, 2026 at 19:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3465 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SuryaBhan Custom Coming Soon allows Reflected XSS. This issue affects Custom Coming Soon: from n/a through 2.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SuryaBhan Custom Coming Soon allows Reflected XSS. This issue affects Custom Coming Soon: from n/a through 2.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SuryaBhan Custom Coming Soon custom-coming-soon allows Reflected XSS.This issue affects Custom Coming Soon: from n/a through <= 2.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 13 Feb 2025 08:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Jan 2025 15:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SuryaBhan Custom Coming Soon allows Reflected XSS. This issue affects Custom Coming Soon: from n/a through 2.2.
Title WordPress Custom Coming Soon Plugin <= 2.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T23:45:40.472Z

Reserved: 2025-01-16T11:30:58.639Z

Link: CVE-2025-23836

cve-icon Vulnrichment

Updated: 2025-02-12T20:34:14.168Z

cve-icon NVD

Status : Deferred

Published: 2025-01-23T16:15:40.497

Modified: 2026-06-17T08:57:35.580

Link: CVE-2025-23836

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T19:15:24Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')