Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OTWthemes Content Manager Light content-manager-light allows Reflected XSS.This issue affects Content Manager Light: from n/a through <= 3.2.
Published: 2025-07-04
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user‑provided input in OTWthemes Content Manager Light causes reflected cross‑site scripting (XSS). An attacker who can place specially crafted data in a request can cause the web page to execute arbitrary JavaScript in the victim’s browser. The CWE‑79 weakness allows attackers to steal session cookies, deface the site, or execute further malicious actions.

Affected Systems

The flaw affects all versions of the Content Manager Light plugin up to and including 3.2, as released by OTWthemes. WordPress sites that install this plugin and rely on its public pages or query parameters are vulnerable. No specific patch version was listed, so any deployment using 3.2 or older is at risk.

Risk and Exploitability

The CVSS score of 7.1 identifies the vulnerability as fairly severe, and an EPSS below 1% indicates that current exploitation activity is very low and likely relies on social‑engineering techniques. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a user to visit a malicious URL that passes the vulnerable query string to the plugin, after which the reflected script runs in the victim’s browser context.

Generated by OpenCVE AI on May 1, 2026 at 06:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest version of Content Manager Light from the official plugin repository, which includes the XSS fix.
  • If an update is unavailable, disable all external query parameters that the plugin exposes until the patch is applied, effectively blocking the reflective payload.
  • As a temporary defense, enforce a strict Content Security Policy that disallows inline scripting and only permits scripts from trusted origins, reducing the impact of any reflected payload that may still reach browsers.

Generated by OpenCVE AI on May 1, 2026 at 06:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19967 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OTWthemes Content Manager Light allows Reflected XSS. This issue affects Content Manager Light: from n/a through 3.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OTWthemes Content Manager Light allows Reflected XSS. This issue affects Content Manager Light: from n/a through 3.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OTWthemes Content Manager Light content-manager-light allows Reflected XSS.This issue affects Content Manager Light: from n/a through <= 3.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 07 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Jul 2025 11:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OTWthemes Content Manager Light allows Reflected XSS. This issue affects Content Manager Light: from n/a through 3.2.
Title WordPress Content Manager Light plugin <= 3.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:34.252Z

Reserved: 2025-01-23T14:53:16.440Z

Link: CVE-2025-24771

cve-icon Vulnrichment

Updated: 2025-07-07T14:40:33.564Z

cve-icon NVD

Status : Deferred

Published: 2025-07-04T12:15:26.320

Modified: 2026-06-17T08:59:34.870

Link: CVE-2025-24771

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:00:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')