Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DotsquaresLtd Migrate Posts migrate-post allows Reflected XSS.This issue affects Migrate Posts: from n/a through <= 1.0.
Published: 2025-03-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Migrate Posts plugin (versions up to 1.0) contains Improper Neutralization of Input During Web Page Generation, allowing attackers to inject reflected XSS payloads. This weakness, classified as CWE‑79, permits an attacker to embed malicious script into pages served by the site, potentially executing code in the victim's browser session and leading to defacement, credential theft, or session hijacking. The impact is limited to the browser context of users who interact with the vulnerable plugin’s output, but it can compromise site integrity and user security.

Affected Systems

WordPress plugin "Migrate Posts" developed by Dotsquares Ltd, affected versions are all releases up to and including 1.0.

Risk and Exploitability

The CVSS score indicates a high severity of 7.1. The EPSS score of less than 1% shows a low probability of exploitation as of now, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is reflected input via URLs or form fields handled by the plugin; this is inferred because the description states the flaw allows reflected XSS.

Generated by OpenCVE AI on May 1, 2026 at 14:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Migrate Posts plugin to a version newer than 1.0 to apply the vendor‑supplied fix.
  • If an upgrade is not feasible, deactivate and uninstall the plugin to eliminate the vulnerable code path.
  • Implement a Content Security Policy that blocks inline scripts or deploy a web application firewall rule that filters reflected XSS payloads as a temporary protective measure.

Generated by OpenCVE AI on May 1, 2026 at 14:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5640 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Migrate Posts allows Reflected XSS. This issue affects Migrate Posts: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Migrate Posts allows Reflected XSS. This issue affects Migrate Posts: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DotsquaresLtd Migrate Posts migrate-post allows Reflected XSS.This issue affects Migrate Posts: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Migrate Posts allows Reflected XSS. This issue affects Migrate Posts: from n/a through 1.0.
Title WordPress Migrate Posts Plugin <=1.0 - Post Based Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:37.572Z

Reserved: 2025-02-03T13:35:41.374Z

Link: CVE-2025-25170

cve-icon Vulnrichment

Updated: 2025-03-03T15:50:24.108Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:54.613

Modified: 2026-04-23T15:25:44.680

Link: CVE-2025-25170

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:30:06Z

Weaknesses