Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rachel Cherry Authors Autocomplete Meta Box authors-autocomplete-meta-box allows Reflected XSS.This issue affects Authors Autocomplete Meta Box: from n/a through <= 1.2.
Published: 2025-03-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected Cross‑Site Scripting flaw that allows an attacker to inject malicious scripts into webpages generated by the plugin. The flaw arises from improper neutralization of user input during page rendering, giving an attacker the ability to execute arbitrary JavaScript while a user browses a page that includes the vulnerable plugin. This can lead to session hijacking, credential theft, data exfiltration, or defacement of the site.

Affected Systems

The issue affects the WordPress plugin Authors Autocomplete Meta Box created by Rachel Cherry. All installations running version 1.2 or earlier—no minimum version is specified—are vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity for this vulnerability. The EPSS score of less than 1% suggests a low probability of exploitation at any given time, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the likely attack vector is via a crafted URL or form input that is reflected back to the user, allowing a remote attacker to craft a malicious link or embed the attacker’s script in a request that users may click. The flaw does not require authentication and can be leveraged by any user visiting a vulnerable page.

Generated by OpenCVE AI on May 1, 2026 at 14:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Authors Autocomplete Meta Box plugin to a version newer than 1.2 that contains the XSS fix.
  • If an upgrade is not immediately possible, disable or remove the plugin to prevent the reflected XSS from being served to users.
  • Apply a browser‑side Content Security Policy that restricts script execution and blocks inline scripts, mitigating the impact if the vulnerability is temporarily exposed.

Generated by OpenCVE AI on May 1, 2026 at 14:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5633 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Authors Autocomplete Meta Box allows Reflected XSS. This issue affects Authors Autocomplete Meta Box: from n/a through 1.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Authors Autocomplete Meta Box allows Reflected XSS. This issue affects Authors Autocomplete Meta Box: from n/a through 1.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rachel Cherry Authors Autocomplete Meta Box authors-autocomplete-meta-box allows Reflected XSS.This issue affects Authors Autocomplete Meta Box: from n/a through <= 1.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Authors Autocomplete Meta Box allows Reflected XSS. This issue affects Authors Autocomplete Meta Box: from n/a through 1.2.
Title WordPress Authors Autocomplete Meta Box plugin <= 1.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:37.683Z

Reserved: 2025-02-03T13:35:31.280Z

Link: CVE-2025-25169

cve-icon Vulnrichment

Updated: 2025-03-03T15:59:21.423Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:54.477

Modified: 2026-04-23T15:25:44.570

Link: CVE-2025-25169

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:30:06Z

Weaknesses