Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in robin90 First Comment Redirect first-comment-redirect allows Reflected XSS.This issue affects First Comment Redirect: from n/a through <= 1.0.3.
Published: 2025-03-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The First Comment Redirect plugin for WordPress fails to properly escape user supplied input when rendering a page, enabling an attacker to embed malicious JavaScript that executes in the victim’s browser. The flaw is a classic reflected XSS (CWE‑79) that can lead to session hijacking, credential theft, defacement, or the initiation of additional attacks. The impact is limited to users who load a page that includes the unfiltered input, but the consequences for compromised users can be significant.

Affected Systems

The vulnerable component is the WordPress plugin "First Comment Redirect" developed by robin90. Versions from the original release through 1.0.3 are affected; sites running any release up to and including 1.0.3 are at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation. The flaw is not listed in the CISA KEV catalog, implying no known active exploitation. The most probable attack vector is a reflected request containing user‑controlled parameters, which an attacker can deliver via a crafted URL or hidden form field, requiring the victim to visit the malicious link for the injected script to execute.

Generated by OpenCVE AI on May 1, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest release of the First Comment Redirect plugin if a version newer than 1.0.3 has resolved the issue.
  • If no subsequent version is available, remove or temporarily disable the plugin to eliminate the reflected XSS vector.
  • Ensure that any data the plugin accepts is validated and escaped before being echoed; apply standard sanitization functions or use a library that handles XSS protection.
  • Deploy a Web Application Firewall or enforce a strong Content Security Policy that blocks inline script execution to mitigate the risk of reflected XSS.

Generated by OpenCVE AI on May 1, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5680 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound First Comment Redirect allows Reflected XSS. This issue affects First Comment Redirect: from n/a through 1.0.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound First Comment Redirect allows Reflected XSS. This issue affects First Comment Redirect: from n/a through 1.0.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in robin90 First Comment Redirect first-comment-redirect allows Reflected XSS.This issue affects First Comment Redirect: from n/a through <= 1.0.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 12 May 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound First Comment Redirect allows Reflected XSS. This issue affects First Comment Redirect: from n/a through 1.0.3.
Title WordPress First Comment Redirect plugin <= 1.0.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:52:53.713Z

Reserved: 2025-01-16T11:31:13.711Z

Link: CVE-2025-23852

cve-icon Vulnrichment

Updated: 2025-05-12T15:26:19.300Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:48.013

Modified: 2026-06-17T08:57:37.193

Link: CVE-2025-23852

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:45:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')