Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UIUX Lab Uix Page Builder uix-page-builder allows Reflected XSS.This issue affects Uix Page Builder: from n/a through <= 1.7.3.
Published: 2025-02-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Uix Page Builder plugin uses user supplied data in web pages without proper sanitization, enabling a reflected cross-site scripting (XSS) flaw. An attacker can embed malicious script code that is returned to the victim's browser during page rendering, giving the attacker the ability to execute code in the context of that browser session.

Affected Systems

Any WordPress installation that has the UIUX Lab Uix Page Builder plugin installed in a version up to and including 1.7.3 is affected.

Risk and Exploitability

With a CVSS score of 7.1 the flaw is considered high severity, while an EPSS score of less than 1% indicates a low observed exploitation probability and the vulnerability is not listed in CISA's KEV catalog. The typical attack vector for reflected XSS is through user-controllable input that the plugin renders without escaping, such as query parameters or form fields. Exploitation requires the plugin to be active and the page to display the reflected data, and it only impacts the victim's browser context rather than the server or other users.

Generated by OpenCVE AI on May 2, 2026 at 04:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the UIUX Lab Uix Page Builder plugin to a version newer than 1.7.3, which resolves the reflected XSS vulnerability.
  • If the plugin is unnecessary for site functionality, disable or uninstall it to eliminate the risk.
  • Deploy a Content Security Policy that blocks inline scripts or otherwise restricts script sources, and validate or escape user input to mitigate potential XSS.

Generated by OpenCVE AI on May 2, 2026 at 04:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3820 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UIUX Lab Uix Page Builder allows Reflected XSS. This issue affects Uix Page Builder: from n/a through 1.7.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UIUX Lab Uix Page Builder allows Reflected XSS. This issue affects Uix Page Builder: from n/a through 1.7.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UIUX Lab Uix Page Builder uix-page-builder allows Reflected XSS.This issue affects Uix Page Builder: from n/a through <= 1.7.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00032}

 epss

{'score': 0.00035}

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00072}

 epss

{'score': 0.00032}

Fri, 14 Feb 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 14 Feb 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UIUX Lab Uix Page Builder allows Reflected XSS. This issue affects Uix Page Builder: from n/a through 1.7.3.
Title WordPress Uix Page Builder Plugin <= 1.7.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:32:58.204Z

Reserved: 2025-01-23T14:51:18.436Z

Link: CVE-2025-24616

cve-icon Vulnrichment

Updated: 2025-02-14T14:18:11.676Z

cve-icon NVD

Status : Deferred

Published: 2025-02-14T13:15:49.490

Modified: 2026-06-17T08:59:19.443

Link: CVE-2025-24616

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T04:45:34Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')