Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Milan Petrovic GD Mail Queue gd-mail-queue allows Reflected XSS.This issue affects GD Mail Queue: from n/a through <= 4.3.
Published: 2025-01-31
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The GD Mail Queue plugin fails to properly neutralize user‑supplied input when generating web pages, allowing reflected cross‑site scripting attacks. An attacker can craft a request that includes malicious code, which the plugin echoes without encoding. This can lead to session hijacking, cookie theft, or defacement of user accounts that visit the crafted URL, compromising both confidentiality and integrity of affected users.

Affected Systems

Milan Petrovic’s GD Mail Queue plugin is affected. Any installation running version 4.3 or earlier is vulnerable. No specific sub‑version list is provided, but all releases through 4.3 are impacted.

Risk and Exploitability

The CVSS score of 7.1 indicates a high‑severity vulnerability, but the EPSS score of less than 1% shows a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a reflected XSS exploit triggered by a crafted URL or form input that the plugin reflects back to the page, typically targeting users who click on a malicious link or submit a form. If exploited, an attacker could steal session data or inject scripts into a user’s browser, creating a moderate to high risk to user accounts and site integrity.

Generated by OpenCVE AI on May 2, 2026 at 05:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GD Mail Queue to the latest version (4.4 or later) that patches the XSS flaw.
  • If an upgrade is not immediately possible, deactivate or remove the plugin to eliminate exposure.
  • Implement a web‑application firewall or input filtering that escapes or blocks reflected XSS payloads on any user‑supplied parameters.

Generated by OpenCVE AI on May 2, 2026 at 05:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3812 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Milan Petrovic GD Mail Queue allows Reflected XSS. This issue affects GD Mail Queue: from n/a through 4.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Milan Petrovic GD Mail Queue allows Reflected XSS. This issue affects GD Mail Queue: from n/a through 4.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Milan Petrovic GD Mail Queue gd-mail-queue allows Reflected XSS.This issue affects GD Mail Queue: from n/a through <= 4.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00035}

 epss

{'score': 0.00045}

Fri, 31 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 31 Jan 2025 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Milan Petrovic GD Mail Queue allows Reflected XSS. This issue affects GD Mail Queue: from n/a through 4.3.
Title WordPress GD Mail Queue Plugin <= 4.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:24:21.872Z

Reserved: 2025-01-23T14:51:10.027Z

Link: CVE-2025-24608

cve-icon Vulnrichment

Updated: 2025-01-31T19:28:37.771Z

cve-icon NVD

Status : Deferred

Published: 2025-01-31T09:15:10.767

Modified: 2026-06-17T08:59:18.657

Link: CVE-2025-24608

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T05:15:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')