Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saleswonder Team: Tobias WP2LEADS wp2leads allows Reflected XSS.This issue affects WP2LEADS: from n/a through <= 3.3.3.
Published: 2025-02-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP2LEADS plugin for WordPress has an improper neutralization of input when generating web pages, resulting in a reflected XSS flaw. An attacker can craft a URL containing malicious JavaScript that is echoed back in the page response. When an end‑user opens this URL, the browser will execute the injected script, enabling the attacker to steal session cookies, deface the site, or perform other actions with the victim's privileges.

Affected Systems

WordPress sites that have the Saleswonder Team: Tobias WP2LEADS plugin installed at any version up to and including 3.3.3 are vulnerable. This includes sites using older or unpatched releases of the plugin, regardless of additional WordPress version or other plugins.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.1, indicating a high severity impact. The EPSS score is under 1%, suggesting a low probability of exploitation currently, but the flaw is widely known and could be used by automated scanners. It is not listed in the CISA KEV catalog. Exploitation is achievable by sending a crafted URL to any visitor of the affected WordPress site; the attacker requires no special privileges, making the threat vector remote and easily reachable.

Generated by OpenCVE AI on May 1, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP2LEADS to the latest available release (3.3.4 or later) which fixes the XSS issue.
  • If an update is not immediately possible, consider disabling the WP2LEADS plugin or removing it from the WordPress installation to eliminate the attack surface.
  • Implement WAF rules or use a security plugin that blocks reflected XSS payloads for the WP2LEADS URLs to mitigate the risk until the plugin is upgraded.

Generated by OpenCVE AI on May 1, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3773 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saleswonder Team Tobias WP2LEADS allows Reflected XSS. This issue affects WP2LEADS: from n/a through 3.3.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saleswonder Team Tobias WP2LEADS allows Reflected XSS. This issue affects WP2LEADS: from n/a through 3.3.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saleswonder Team: Tobias WP2LEADS wp2leads allows Reflected XSS.This issue affects WP2LEADS: from n/a through <= 3.3.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00032}

 epss

{'score': 0.00035}

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00072}

 epss

{'score': 0.00032}

Tue, 25 Feb 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 14 Feb 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saleswonder Team Tobias WP2LEADS allows Reflected XSS. This issue affects WP2LEADS: from n/a through 3.3.3.
Title WordPress WP2LEADS plugin <= 3.3.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:33:58.228Z

Reserved: 2025-01-23T14:50:32.998Z

Link: CVE-2025-24565

cve-icon Vulnrichment

Updated: 2025-02-14T15:09:00.276Z

cve-icon NVD

Status : Deferred

Published: 2025-02-14T13:15:48.540

Modified: 2026-06-17T08:59:14.270

Link: CVE-2025-24565

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T16:30:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')