Description
The Digital License Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg() function without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-03-25
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The Digital License Manager plugin for WordPress contains a reflected cross‑site scripting flaw caused by the use of the remove_query_arg() function without proper escaping. An unauthenticated attacker can embed arbitrary JavaScript in a URL, which is subsequently reflected in pages when a user follows the link or performs an action that triggers the URL. This allows attackers to run malicious scripts in the context of the victim’s browser, potentially stealing cookies, hijacking sessions, defacing content or installing malware.

Affected Systems

WordPress sites running codeverve Digital License Manager versions 1.7.3 and earlier are affected. The vulnerability exists in all supported releases up to and including 1.7.3 of the plugin.

Risk and Exploitability

The CVSS score of 6.1 indicates a medium severity flaw, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The flaw is not listed in the CISA KEV catalog. Exploitation requires an attacker to craft a malicious URL that the victim follows, which can be achieved through phishing or social engineering. Once the victim clicks the link, the injected script executes with the permissions of the logged‑in user, exposing the site to session theft or defacement.

Generated by OpenCVE AI on April 21, 2026 at 21:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Digital License Manager to the latest stable release (≥ 1.7.4) where the XSS issue is resolved with proper escaping in the remove_query_arg() function.
  • If an immediate plugin upgrade cannot be performed, edit the file `activations.php` at the line that calls remove_query_arg(): wrap the resulting URL with esc_url() or esc_url_raw() before it is sent to the browser; consult the plugin’s changelog or the referenced changeset for guidance on the correct implementation.
  • Deploy a site‑wide Content Security Policy that blocks inline scripts—for example, add the header `Content‑Security‑Policy: default-src 'self'; script-src 'self';` or use a meta tag `<meta http-equiv="Content‑Security‑Policy" content="default-src 'self'; script-src 'self';">`—and test the policy in a staging environment before enabling it on production.

Generated by OpenCVE AI on April 21, 2026 at 21:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8836 The Digital License Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg() function without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
History

Mon, 31 Mar 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 25 Mar 2025 09:30:00 +0000

Type Values Removed Values Added
Description The Digital License Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg() function without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title Digital License Manager <= 1.7.3 - Reflected Cross-Site Scripting via remove_query_arg Function
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:12:38.513Z

Reserved: 2025-03-21T22:08:46.866Z

Link: CVE-2025-2635

cve-icon Vulnrichment

Updated: 2025-03-31T16:28:19.355Z

cve-icon NVD

Status : Deferred

Published: 2025-03-25T10:15:16.430

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2635

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:45:25Z

Weaknesses