Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dhanendran Rajagopal Term Taxonomy Converter term-taxonomy-converter allows Reflected XSS.This issue affects Term Taxonomy Converter: from n/a through <= 1.2.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A reflected XSS flaw exists in the Term Taxonomy Converter plugin. Unsanitized user input supplied to the plugin is echoed back in a generated web page, allowing an attacker to inject malicious scripts that run in the context of the victim’s browser. This can lead to credential theft, session hijacking, defacement and other compromises of confidentiality, integrity or availability for users who view affected content.

Affected Systems

WordPress sites running the Term Taxonomy Converter plugin version 1.2 or earlier by Dhanendran Rajagopal. No further version granularity is specified beyond the <= 1.2 bound.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium‑to‑high severity, while the EPSS score of less than 1% suggests low current exploitation probability. The vulnerability is not listed in CISA KEV. Based on the description, the likely attack vector is reflected: a crafted URL or payload must be delivered to a victim who views the page. Inferred from the lack of privilege restrictions, local privilege is not required; the impact is limited to the browser session of the victim. Attackers can execute arbitrary JavaScript in the victim’s context, enabling typical XSS‑related exploits.

Generated by OpenCVE AI on May 2, 2026 at 01:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Term Taxonomy Converter plugin to the latest available version that removes the reflected XSS flaw.
  • If an upgrade is not immediately possible, de‑activate or uninstall the plugin to eliminate the surface for exploitation.
  • Add web‑application firewall or security plugin rules that detect and block XSS payloads in URLs related to the plugin’s parameters.

Generated by OpenCVE AI on May 2, 2026 at 01:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11612 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dhanendran Rajagopal Term Taxonomy Converter allows Reflected XSS. This issue affects Term Taxonomy Converter: from n/a through 1.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dhanendran Rajagopal Term Taxonomy Converter allows Reflected XSS. This issue affects Term Taxonomy Converter: from n/a through 1.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dhanendran Rajagopal Term Taxonomy Converter term-taxonomy-converter allows Reflected XSS.This issue affects Term Taxonomy Converter: from n/a through <= 1.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dhanendran Rajagopal Term Taxonomy Converter allows Reflected XSS. This issue affects Term Taxonomy Converter: from n/a through 1.2.
Title WordPress Term Taxonomy Converter Plugin <= 1.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:10:23.777Z

Reserved: 2025-01-23T14:51:57.436Z

Link: CVE-2025-24670

cve-icon Vulnrichment

Updated: 2025-04-17T17:43:43.733Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:33.867

Modified: 2026-06-17T08:59:24.767

Link: CVE-2025-24670

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:00:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')