Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fatcatapps Analytics Cat analytics-cat allows Reflected XSS.This issue affects Analytics Cat: from n/a through <= 1.1.2.
Published: 2025-02-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Analytics Cat plugin for WordPress fails to neutralize user input before inserting it into the HTML output. This flaw allows an attacker to insert arbitrary script code that will be executed in the browsers of visitors who load the affected page, resulting in client-side code execution.

Affected Systems

WordPress sites that have the fatcatapps Analytics Cat plugin installed in any version up to and including 1.1.2.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high severity. The EPSS score of less than 1% suggests that exploit attempts are currently uncommon. The vulnerability is not listed in the CISA KEV catalog. An attacker can trigger the flaw by including malicious script content in a URL parameter or form field; no server‑side privileges are required, and the attack can be performed remotely against any site that has the vulnerable plugin.

Generated by OpenCVE AI on May 2, 2026 at 04:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Analytics Cat plugin to a release that contains the XSS fix, such as a version newer than 1.1.2.
  • If an upgrade is not immediately possible, disable or uninstall the Analytics Cat plugin to eliminate the reflected XSS path.
  • Add a Content Security Policy that disallows inline scripts or configure a web application firewall rule that blocks reflected script payloads.

Generated by OpenCVE AI on May 2, 2026 at 04:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3819 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fatcatapps Analytics Cat allows Reflected XSS. This issue affects Analytics Cat: from n/a through 1.1.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fatcatapps Analytics Cat allows Reflected XSS. This issue affects Analytics Cat: from n/a through 1.1.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fatcatapps Analytics Cat analytics-cat allows Reflected XSS.This issue affects Analytics Cat: from n/a through <= 1.1.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00032}

 epss

{'score': 0.00035}

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00072}

 epss

{'score': 0.00032}

Tue, 25 Feb 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 14 Feb 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fatcatapps Analytics Cat allows Reflected XSS. This issue affects Analytics Cat: from n/a through 1.1.2.
Title WordPress Analytics Cat Plugin <= 1.1.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Fatcatapps Analytics Cat
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:33:23.277Z

Reserved: 2025-01-23T14:51:18.435Z

Link: CVE-2025-24615

cve-icon Vulnrichment

Updated: 2025-02-14T14:26:19.403Z

cve-icon NVD

Status : Deferred

Published: 2025-02-14T13:15:49.353

Modified: 2026-04-23T15:25:08.137

Link: CVE-2025-24615

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T04:45:34Z

Weaknesses