Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpgear Import Excel to Gravity Forms gf-excel-import allows Reflected XSS.This issue affects Import Excel to Gravity Forms: from n/a through <= 1.18.
Published: 2025-02-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Improper Neutralization of Input During Web Page Generation flaw that allows attackers to inject malicious scripts into pages rendered by the WordPress Import Excel to Gravity Forms plugin. An attacker can craft a URL containing embedded JavaScript or other executable code; when a susceptible user visits that URL, the script runs in the victim’s browser, enabling attacks such as session hijacking, defacement, or malicious redirects. The weakness is classified as CWE‑79, and the vulnerability is reflected, meaning the attacker must provide input that is immediately echoed back to the victim.

Affected Systems

The issue affects the wpgear Import Excel to Gravity Forms plugin. All released versions up to and including 1.18 are vulnerable. System owners using this plugin via WordPress should identify the installed version and verify whether it falls within the affected range.

Risk and Exploitability

The CVSS score of 7.1 signals a high impact if exploited. However, the EPSS score is less than 1 % and the vulnerability is not listed in the CISA KEV catalog, indicating a low probability of widespread exploitation at present. Attackers would need to get a target to load a crafted request, typically through social engineering or spear‑phishing. Once the request is served, the reflected XSS can fully compromise the victim’s browser session.

Generated by OpenCVE AI on May 1, 2026 at 17:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Import Excel to Gravity Forms plugin to a version newer than 1.18
  • If an upgrade is not immediately possible, restrict the plugin’s file‑upload functionality to administrative users only to prevent end‑users from triggering the vulnerable code
  • Implement a strong Content Security Policy (CSP) to limit the execution of injected scripts

Generated by OpenCVE AI on May 1, 2026 at 17:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3830 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPGear Import Excel to Gravity Forms allows Reflected XSS. This issue affects Import Excel to Gravity Forms: from n/a through 1.18.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPGear Import Excel to Gravity Forms allows Reflected XSS. This issue affects Import Excel to Gravity Forms: from n/a through 1.18. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpgear Import Excel to Gravity Forms gf-excel-import allows Reflected XSS.This issue affects Import Excel to Gravity Forms: from n/a through <= 1.18.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00035}

 epss

{'score': 0.00045}

Mon, 03 Feb 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPGear Import Excel to Gravity Forms allows Reflected XSS. This issue affects Import Excel to Gravity Forms: from n/a through 1.18.
Title WordPress Import Excel to Gravity Forms Plugin <= 1.18 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:30.823Z

Reserved: 2025-01-23T14:51:25.978Z

Link: CVE-2025-24629

cve-icon Vulnrichment

Updated: 2025-02-03T16:50:49.502Z

cve-icon NVD

Status : Deferred

Published: 2025-02-03T15:15:27.163

Modified: 2026-06-17T08:59:20.727

Link: CVE-2025-24629

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T17:45:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')