Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joe Auction Nudge – Your eBay on Your Site auction-nudge allows Stored XSS.This issue affects Auction Nudge – Your eBay on Your Site: from n/a through <= 7.2.0.
Published: 2025-01-24
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored Cross‑Site Scripting flaw where user‑controlled input is incorporated into web page content without proper neutralization. An attacker who can inject and store malicious script could execute code in the browser context of any visitor to the affected WordPress site, potentially allowing session hijacking, credential theft, defacement, or other client‑side attacks. The weakness is identified as CWE-79.

Affected Systems

WordPress plugin "Auction Nudge – Your eBay on Your Site" produced by Joe is affected. All releases from the earliest to version 7.2.0 are vulnerable.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, and the extremely low EPSS (<1%) suggests that widespread exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Because the flaw is stored XSS, the attacker must place malicious content into a field that is later rendered to users; thus the likely attack vector involves an authenticated user (such as an administrator or a valid contributor) inserting script into a form or message that is subsequently displayed to site visitors. Once the payload is stored, any user visiting the affected page can be impacted.

Generated by OpenCVE AI on May 1, 2026 at 18:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Auction Nudge – Your eBay on Your Site plugin to the latest available version, which remedies the stored XSS issue.
  • If a patch is unavailable, remove or deactivate the plugin to eliminate the attack surface.
  • As a temporary safeguard, apply a content security policy that blocks inline scripts and ensure that any content generated by the plugin is properly escaped; this mitigates the risk while a permanent fix is applied.

Generated by OpenCVE AI on May 1, 2026 at 18:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3853 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joe Hawes Auction Nudge – Your eBay on Your Site allows Stored XSS. This issue affects Auction Nudge – Your eBay on Your Site: from n/a through 7.2.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joe Hawes Auction Nudge – Your eBay on Your Site allows Stored XSS. This issue affects Auction Nudge – Your eBay on Your Site: from n/a through 7.2.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joe Auction Nudge – Your eBay on Your Site auction-nudge allows Stored XSS.This issue affects Auction Nudge – Your eBay on Your Site: from n/a through <= 7.2.0.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Fri, 24 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Jan 2025 17:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joe Hawes Auction Nudge – Your eBay on Your Site allows Stored XSS. This issue affects Auction Nudge – Your eBay on Your Site: from n/a through 7.2.0.
Title WordPress Auction Nudge – Your eBay on Your Site plugin <= 7.2.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T23:47:22.207Z

Reserved: 2025-01-23T14:51:49.212Z

Link: CVE-2025-24658

cve-icon Vulnrichment

Updated: 2025-01-24T18:46:15.704Z

cve-icon NVD

Status : Deferred

Published: 2025-01-24T18:15:39.853

Modified: 2026-06-17T08:59:23.593

Link: CVE-2025-24658

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T18:45:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')