Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi Beacon Lead Magnets and Lead Capture beacon-by allows Reflected XSS.This issue affects Beacon Lead Magnets and Lead Capture: from n/a through <= 1.5.7.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Affected content: the Beacon Lead Magnets and Lead Capture WordPress plugin generates web pages using user input without proper neutralization, resulting in reflected cross‑site scripting. An attacker who can inject malicious scripts into query parameters or form fields that are subsequently reflected in the page will execute code in the victim’s browser. This can allow session hijacking, credential theft, defacement, or the delivery of malware.

Affected Systems

The vulnerability affects the Syed Balkhi Beacon Lead Magnets and Lead Capture WordPress plugin, versions from the initial release through 1.5.7 inclusive. WordPress sites that have installed any of these plugin versions are susceptible to the reflected XSS flaw.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. The EPSS score of less than 1% shows that exploitation is currently considered unlikely, and the flaw is not currently listed in CISA’s KEV catalog. Nevertheless, the attack path is straightforward: an attacker can supply malicious input via public URLs or form fields that the plugin reflects, and no authentication is required. The absence of authentication checks and improper input sanitization make this a low‑barrier vulnerability for malicious actors, especially on sites with high user interaction.

Generated by OpenCVE AI on May 1, 2026 at 09:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Beacon Lead Magnets and Lead Capture to version 1.5.8 or later, if available, to apply the vendor‑provided fix.
  • If an upgrade cannot be applied immediately, remove or deactivate the plugin from publicly accessible pages and limit exposure until the patch is installed.
  • Implement a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted domains, thereby mitigating reflected XSS until the plugin is fully patched.

Generated by OpenCVE AI on May 1, 2026 at 09:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11607 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi Beacon Lead Magnets and Lead Capture allows Reflected XSS. This issue affects Beacon Lead Magnets and Lead Capture: from n/a through 1.5.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi Beacon Lead Magnets and Lead Capture allows Reflected XSS. This issue affects Beacon Lead Magnets and Lead Capture: from n/a through 1.5.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi Beacon Lead Magnets and Lead Capture beacon-by allows Reflected XSS.This issue affects Beacon Lead Magnets and Lead Capture: from n/a through <= 1.5.7.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi Beacon Lead Magnets and Lead Capture allows Reflected XSS. This issue affects Beacon Lead Magnets and Lead Capture: from n/a through 1.5.7.
Title WordPress Beacon Lead Magnets and Lead Capture Plugin <= 1.5.7 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:30.904Z

Reserved: 2025-01-23T14:51:34.072Z

Link: CVE-2025-24637

cve-icon Vulnrichment

Updated: 2025-04-17T17:43:27.246Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:33.210

Modified: 2026-06-17T08:59:21.517

Link: CVE-2025-24637

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:30:14Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')