Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hiren Patel Custom Users Order custom-users-order allows Reflected XSS.This issue affects Custom Users Order: from n/a through <= 4.2.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an improper neutralization of user input during page generation, which results in a reflected XSS flaw. An attacker can embed malicious script into a crafted URL or form input that the plugin then displays on the page. If a victim clicks the link or processes the input, the script runs in the browser under the victim's privileges, potentially leaking session cookies, defacing content, or hijacking the session.

Affected Systems

Affected is the WordPress plugin Custom Users Order by Hiren Patel, version numbers from unknown up to and including 4.2 inclusive.

Risk and Exploitability

The base CVSS score of 7.1 indicates high severity. The EPSS is below 1%, so widespread exploitation is unlikely yet the flaw can lie dormant. Attackers can likely exploit the vulnerability remotely by sending a crafted request; no authentication is required and any user who visits the affected content may be impacted. It is not listed in the CISA KEV catalog but remains publicly disclosed.

Generated by OpenCVE AI on May 1, 2026 at 09:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Custom Users Order plugin to the latest version or apply the vendor's patch.
  • If an update is not immediately available, deactivate or remove the plugin entirely to eliminate the risk.
  • Use a web application firewall or security plugin to filter or block potential script payloads processed by the plugin.
  • Audit other installed WordPress plugins for similar reflected XSS weaknesses.

Generated by OpenCVE AI on May 1, 2026 at 09:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11593 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hiren Patel Custom Users Order allows Reflected XSS. This issue affects Custom Users Order: from n/a through 4.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hiren Patel Custom Users Order allows Reflected XSS. This issue affects Custom Users Order: from n/a through 4.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hiren Patel Custom Users Order custom-users-order allows Reflected XSS.This issue affects Custom Users Order: from n/a through <= 4.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hiren Patel Custom Users Order allows Reflected XSS. This issue affects Custom Users Order: from n/a through 4.2.
Title WordPress Custom Users Order Plugin <= 4.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:22.748Z

Reserved: 2025-01-16T11:31:13.711Z

Link: CVE-2025-23858

cve-icon Vulnrichment

Updated: 2025-04-17T17:42:58.411Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:30.917

Modified: 2026-04-23T15:24:38.957

Link: CVE-2025-23858

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:30:14Z

Weaknesses