Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in unalignedcoder Stray Random Quotes stray-quotes allows Reflected XSS.This issue affects Stray Random Quotes: from n/a through <= 1.9.9.
Published: 2025-03-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Stray Random Quotes plugin for WordPress improperly sanitizes user input, enabling attackers to inject arbitrary scripts that are reflected back in the web page. By crafting a malicious URL that includes malicious JavaScript, an attacker can execute code in the browser of any visitor who clicks the link, resulting in cookie theft, session hijack, or defacement. The vulnerability is a classic reflected XSS flaw (CWE–79) and requires the victim to load a crafted request.

Affected Systems

The flaw exists in the unalignedcoder Stray Random Quotes plugin for WordPress, affecting all installations that use version 1.9.9 or earlier. No lower bound was specified; therefore any release prior to 1.10 is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.1 denotes a high impact, while an EPSS score below 1 % suggests that exploitation attempts are currently rare. The vulnerability is not listed in CISA’s KEV catalog, further indicating limited exploitation in the wild. Exploitation requires a victim to visit a maliciously crafted URL, and the attacker needs only to embed the malicious script; no local privilege escalation is required. Thus the risk is moderate but mitigatable through timely patching.

Generated by OpenCVE AI on May 1, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Stray Random Quotes to the latest version (≥ 1.10) that removes the reflected XSS vulnerability.
  • If the plugin cannot be updated immediately, uninstall or disable it to eliminate the attack surface.
  • Implement a site‑wide input sanitization review and ensure WordPress’s built‑in escaping functions (e.g., esc_html, esc_url) are used consistently, and use a web‑application firewall to block XSS patterns when possible.

Generated by OpenCVE AI on May 1, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5678 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Stray Random Quotes allows Reflected XSS. This issue affects Stray Random Quotes: from n/a through 1.9.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Stray Random Quotes allows Reflected XSS. This issue affects Stray Random Quotes: from n/a through 1.9.9. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in unalignedcoder Stray Random Quotes stray-quotes allows Reflected XSS.This issue affects Stray Random Quotes: from n/a through <= 1.9.9.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 12 May 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Stray Random Quotes allows Reflected XSS. This issue affects Stray Random Quotes: from n/a through 1.9.9.
Title WordPress Stray Random Quotes Plugin <= 1.9.9 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:23.815Z

Reserved: 2025-01-16T11:31:35.915Z

Link: CVE-2025-23883

cve-icon Vulnrichment

Updated: 2025-05-12T15:28:44.090Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:48.430

Modified: 2026-04-23T15:24:42.027

Link: CVE-2025-23883

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:45:16Z

Weaknesses