Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Josh Harrison Yahoo BOSS yahoo-boss allows Reflected XSS.This issue affects Yahoo BOSS: from n/a through <= 0.7.
Published: 2025-03-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Yahoo BOSS plugin for WordPress contains an improper neutralization of input during page generation that permits reflected XSS. This flaw is classified as CWE‑79 and can allow a malicious actor to inject and execute arbitrary JavaScript in the context of a viewer’s browser, potentially leading to session hijacking, cookie theft, or defacement of the site’s content.

Affected Systems

WordPress sites that use the Yahoo BOSS plugin by Josh Harrison are affected, specifically plugins ranging from the initial release through at least version 0.7. If a site has not upgraded beyond 0.7, it remains vulnerable.

Risk and Exploitability

The CVSS base score of 7.1 indicates a high severity, while the EPSS score of less than 1% suggests low current exploitation probability, though the flaw is not listed in the CISA KEV catalog. The likely attack vector is a crafted URL or form input that the plugin displays without proper escaping. Upon exploitation, an attacker can inject malicious scripts that run when a user views the affected page, exploiting the site’s trust in its own content.

Generated by OpenCVE AI on May 2, 2026 at 03:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Yahoo BOSS plugin to the latest version, if one exists beyond 0.7, or remove the plugin entirely if no update is available.
  • Ensure that any user‑supplied data handled by the plugin is properly escaped or sanitized before rendering to the browser, following best practices for XSS mitigation.
  • If the plugin cannot be updated, restrict its use by disabling it in non‑admin contexts or configuring a Web Application Firewall to block XSS payloads targeting the plugin’s output.

Generated by OpenCVE AI on May 2, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5664 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Yahoo BOSS allows Reflected XSS. This issue affects Yahoo BOSS: from n/a through 0.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Yahoo BOSS allows Reflected XSS. This issue affects Yahoo BOSS: from n/a through 0.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Josh Harrison Yahoo BOSS yahoo-boss allows Reflected XSS.This issue affects Yahoo BOSS: from n/a through <= 0.7.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Yahoo BOSS allows Reflected XSS. This issue affects Yahoo BOSS: from n/a through 0.7.
Title WordPress Yahoo BOSS Plugin <= 0.7 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:35.521Z

Reserved: 2025-02-03T13:34:30.656Z

Link: CVE-2025-25102

cve-icon Vulnrichment

Updated: 2025-03-03T16:00:10.615Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:50.630

Modified: 2026-04-23T15:25:35.917

Link: CVE-2025-25102

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T04:00:13Z

Weaknesses