Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sabaoh Rollover Tab rollover-tab allows Stored XSS.This issue affects Rollover Tab: from n/a through <= 1.3.2.
Published: 2025-01-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored Cross‑Site Scripting flaw that allows an attacker to inject malicious JavaScript into the Rollover Tab content. When the data is later displayed to site visitors, the script runs in their browsers. This can lead to theft of session cookies, defacement of the site, phishing, and other client‑side attacks.

Affected Systems

The flaw affects any WordPress site running the Sabaoh Rollover Tab plugin version 1.3.2 or earlier. The plugin is available on the WordPress plugin repository and is used to create tabbed interfaces on pages. No specific WordPress core versions are listed, so the issue applies regardless of the core release.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate risk, and the EPSS score of less than 1% reflects a low probability of exploitation, yet the vulnerability is exploitable by anyone with the ability to create or edit tab content. An attacker can embed arbitrary JavaScript via the plugin’s content field, and because the content is stored and re‑displayed, the script executes for all visitors who view the affected tabs. The flaw is not listed in CISA’s KEV catalog, but its impact on confidentiality and integrity of session data makes patching a high priority.

Generated by OpenCVE AI on May 1, 2026 at 20:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Rollover Tab plugin to a version newer than 1.3.2 once it is available or download the latest release from the WordPress repository.
  • If an upgrade is infeasible, deactivate or remove the Rollover Tab plugin from the site to eliminate the attack surface.
  • Apply a web‑application firewall rule or configure a Content Security Policy that blocks inline scripts and disallows executable content from the tab plugin’s output.

Generated by OpenCVE AI on May 1, 2026 at 20:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3484 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eiji ‘Sabaoh’ Yamada Rollover Tab allows Stored XSS.This issue affects Rollover Tab: from n/a through 1.3.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eiji ‘Sabaoh’ Yamada Rollover Tab allows Stored XSS.This issue affects Rollover Tab: from n/a through 1.3.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sabaoh Rollover Tab rollover-tab allows Stored XSS.This issue affects Rollover Tab: from n/a through <= 1.3.2.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 17 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eiji ‘Sabaoh’ Yamada Rollover Tab allows Stored XSS.This issue affects Rollover Tab: from n/a through 1.3.2.
Title WordPress Rollover Tab plugin <= 1.3.2 - Stored Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:22.701Z

Reserved: 2025-01-16T11:31:20.770Z

Link: CVE-2025-23863

cve-icon Vulnrichment

Updated: 2025-01-17T17:17:26.472Z

cve-icon NVD

Status : Deferred

Published: 2025-01-16T21:15:26.290

Modified: 2026-04-23T15:24:39.537

Link: CVE-2025-23863

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T20:45:25Z

Weaknesses