Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Music Store music-store allows Reflected XSS.This issue affects Music Store: from n/a through <= 1.1.19.
Published: 2025-01-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WordPress Music Store eCommerce plugin fails to properly neutralize user input before rendering it on a web page, creating a reflected XSS flaw. This vulnerability allows an attacker to embed and execute arbitrary script code in the browser of any user who views a crafted page or submits malicious content. The script runs with the visitor’s browser privileges, which can compromise confidentiality and integrity of the affected WordPress site.

Affected Systems

The plugin "Music Store" from codepeople is affected for all releases from the initial version (no specific lower bound) up to and including version 1.1.19. No version later than 1.1.19 is impacted.

Risk and Exploitability

The CVSS score of 7.1 classifies this flaw as high severity, while the EPSS score of less than 1% indicates a low probability of exploitation in the general population. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a reflected input parameter that the plugin echoes back; an attacker can embed a malicious script in a URL or form submission that a victim must unknowingly view or submit, without requiring authentication or elevated privileges.

Generated by OpenCVE AI on May 2, 2026 at 09:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Music Store plugin to any version newer than 1.1.19.
  • Ensure that any user‑supplied data displayed by the plugin is passed through proper WordPress output‑encoding functions such as esc_html or wp_kses to satisfy CWE‑79 mitigation guidelines.
  • If an upgrade cannot be performed immediately, disable or remove the plugin’s functionality that echoes user input, or disable the plugin entirely until a patched version is available.

Generated by OpenCVE AI on May 2, 2026 at 09:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3827 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodePeople Music Store allows Reflected XSS. This issue affects Music Store: from n/a through 1.1.19.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodePeople Music Store allows Reflected XSS. This issue affects Music Store: from n/a through 1.1.19. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Music Store music-store allows Reflected XSS.This issue affects Music Store: from n/a through <= 1.1.19.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Jan 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodePeople Music Store allows Reflected XSS. This issue affects Music Store: from n/a through 1.1.19.
Title WordPress Music Store – WordPress eCommerce Plugin <= 1.1.19 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Codepeople Music Store
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:19:57.378Z

Reserved: 2025-01-23T14:51:25.978Z

Link: CVE-2025-24626

cve-icon Vulnrichment

Updated: 2025-02-12T20:37:38.938Z

cve-icon NVD

Status : Deferred

Published: 2025-01-27T15:15:14.777

Modified: 2026-06-17T08:59:20.440

Link: CVE-2025-24626

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T09:30:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')