Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in martinjuhasz One Backend Language one-backend-language allows Reflected XSS.This issue affects One Backend Language: from n/a through <= 1.0.
Published: 2025-01-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An input validation flaw in the WordPress One Backend Language plugin causes user supplied data to be incorporated into web pages without proper encoding. This reflected cross‑site scripting vulnerability, classified as CWE‑79, allows an attacker to embed malicious scripts that will execute in the browsers of anyone who visits a crafted URL. The consequences include theft of session cookies, defacement of web pages, and the ability to redirect users to phishing sites.

Affected Systems

The flaw is present in the One Backend Language plug‑in developed by Martijn Juhasz, affecting version 1.0 and all earlier releases that are deployed on WordPress sites. Any site that has this plug‑in installed is susceptible to the reflected XSS attack.

Risk and Exploitability

The flaw carries a CVSS score of 7.1, indicating a moderate level of severity. With an EPSS score below 1%, the likelihood of exploitation in the wild is low, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it by directing users to a crafted link that includes malicious input; no authentication or privileged access is required. The vulnerability can lead to full control of the victim’s browser session.

Generated by OpenCVE AI on May 1, 2026 at 19:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the One Backend Language plug‑in to a version newer than 1.0 to remove the vulnerability.
  • If an upgrade is not immediately possible, disable or uninstall the plug‑in from the WordPress installation.
  • Deploy a web application firewall rule that blocks or sanitizes reflected XSS payloads targeting the plug‑in’s endpoints.

Generated by OpenCVE AI on May 1, 2026 at 19:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3466 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound One Backend Language allows Reflected XSS. This issue affects One Backend Language: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound One Backend Language allows Reflected XSS. This issue affects One Backend Language: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in martinjuhasz One Backend Language one-backend-language allows Reflected XSS.This issue affects One Backend Language: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 27 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Jan 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound One Backend Language allows Reflected XSS. This issue affects One Backend Language: from n/a through 1.0.
Title WordPress One Backend Language Plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:22.070Z

Reserved: 2025-01-16T11:30:58.639Z

Link: CVE-2025-23837

cve-icon Vulnrichment

Updated: 2025-01-24T14:08:12.501Z

cve-icon NVD

Status : Deferred

Published: 2025-01-24T11:15:11.240

Modified: 2026-04-23T15:24:36.453

Link: CVE-2025-23837

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T19:15:24Z

Weaknesses