Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in devu Status Updater fb-status-updater allows Reflected XSS.This issue affects Status Updater: from n/a through <= 1.9.2.
Published: 2025-03-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The devu Status Updater plugin contains an improper neutralization of input during web page generation, enabling a reflected cross‑site scripting (XSS) flaw (CWE‑79). An attacker can embed malicious scripts that are echoed back to the user, allowing arbitrary client‑side code execution. This can lead to cookie theft, session hijacking, site defacement, or phishing campaigns that exploit the victim’s browser environment.

Affected Systems

The vulnerability affects the WordPress Status Updater plugin developed by devu, with all releases from the first build up to and including version 1.9.2. Hosts that have not applied the latest security fixes are at risk.

Risk and Exploitability

With a CVSS score of 7.1 the flaw is of moderate to high severity, while an EPSS score of less than 1% indicates a very low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog, implying no known production exploitation. The likely attack vector is a crafted URL that triggers the plugin’s reflected output, which an attacker could distribute via email, social media, or other channels. Exploitation requires the victim to open the malicious link, after which client‑side code runs within the context of the affected WordPress site.

Generated by OpenCVE AI on May 2, 2026 at 03:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Status Updater plugin to a version that eliminates the reflected XSS flaw.
  • If a patch is not yet available, deactivate or uninstall the plugin until a fix is released.
  • Review any custom code that supplies input to the plugin’s rendering logic and apply proper output encoding or sanitization in line with CWE‑79 best practices.
  • Consider implementing a Content Security Policy to restrict script execution as an interim mitigation.

Generated by OpenCVE AI on May 2, 2026 at 03:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5649 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in devu Status Updater allows Reflected XSS. This issue affects Status Updater: from n/a through 1.9.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in devu Status Updater allows Reflected XSS. This issue affects Status Updater: from n/a through 1.9.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in devu Status Updater fb-status-updater allows Reflected XSS.This issue affects Status Updater: from n/a through <= 1.9.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in devu Status Updater allows Reflected XSS. This issue affects Status Updater: from n/a through 1.9.2.
Title WordPress Status Updater Plugin <= 9.21 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:35.867Z

Reserved: 2025-02-03T13:34:51.002Z

Link: CVE-2025-25124

cve-icon Vulnrichment

Updated: 2025-03-03T15:59:42.579Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:52.183

Modified: 2026-04-23T15:25:39.293

Link: CVE-2025-25124

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T04:00:13Z

Weaknesses