Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ERA404 ImageMeta imagemeta allows Reflected XSS.This issue affects ImageMeta: from n/a through <= 1.1.2.
Published: 2025-02-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, allowing an attacker to inject arbitrary JavaScript that will execute in the context of a victim’s browser. This could lead to session hijacking, defacement, or other malicious actions performed while the user is authenticated. The weakness is a classic reflected cross‑site scripting scenario (CWE‑79).

Affected Systems

The flaw affects the ImageMeta plugin from ERA404, versions up to and including 1.1.2. Users running any of these versions on a WordPress site are exposed; no other products or versions are impacted.

Risk and Exploitability

The CVSS score of 7.1 reflects a high‑severity weak point requiring attacker input. The EPSS score of < 1% suggests that exploitation likelihood is low at present, but the vulnerability is still exploitable without advanced skills. It is not listed in the CISA KEV catalog. Attacker exploitation is inferred to rely on craft a URL or input containing malicious payloads that the plugin fails to sanitize, which would then be echoed back in the HTML response to the victim. No prerequisite software or network conditions beyond normal web traffic are required.

Generated by OpenCVE AI on May 2, 2026 at 04:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ImageMeta plugin to version 1.1.3 or later, which contains proper input sanitization for all reflected parameters.
  • If an upgrade is not immediately possible, disable the ImageMeta plugin entirely or ensure it cannot process external image requests.
  • Implement a safe content policy on the WordPress site to restrict execution of inline scripts and limit the types of media that can be displayed.

Generated by OpenCVE AI on May 2, 2026 at 04:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4867 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ERA404 ImageMeta allows Reflected XSS. This issue affects ImageMeta: from n/a through 1.1.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ERA404 ImageMeta allows Reflected XSS. This issue affects ImageMeta: from n/a through 1.1.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ERA404 ImageMeta imagemeta allows Reflected XSS.This issue affects ImageMeta: from n/a through <= 1.1.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00072}

 epss

{'score': 0.00032}

Tue, 18 Feb 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 17 Feb 2025 11:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ERA404 ImageMeta allows Reflected XSS. This issue affects ImageMeta: from n/a through 1.1.2.
Title WordPress ImageMeta Plugin <= 1.1.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:39:15.927Z

Reserved: 2025-01-16T11:31:05.973Z

Link: CVE-2025-23845

cve-icon Vulnrichment

Updated: 2025-02-18T15:08:56.957Z

cve-icon NVD

Status : Deferred

Published: 2025-02-17T12:15:28.127

Modified: 2026-06-17T08:57:36.490

Link: CVE-2025-23845

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T04:30:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')