Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kdmurray Random Image Selector random-image-selector allows Reflected XSS.This issue affects Random Image Selector: from n/a through <= 2.4.
Published: 2025-03-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation in the WordPress Random Image Selector plugin allows attackers to embed malicious scripts into page output. The injected code is executed in the victim's browser within the context of the site, potentially enabling client‑side data theft or other harmful actions. Based on the description, it is inferred that an attacker can embed malicious scripts into parameters that the plugin reflects, resulting in client‑side script execution in the browser.

Affected Systems

The vulnerability exposes WordPress installations that use the Random Image Selector plugin by kdmurray to XSS attacks through any version up to and including 2.4. The 1.5.6 release is specifically mentioned as vulnerable; any installation using that or older versions is affected.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity for client‑side attacks. An EPSS score of less than 1% shows a low likelihood of exploitation in the wild. The vulnerability is not tracked in CISA's KEV catalog. Exploitation typically requires the victim to visit a crafted URL or interact with the affected plugin, making it a standard reflected XSS scenario.

Generated by OpenCVE AI on May 2, 2026 at 03:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Random Image Selector plugin to a version newer than 2.4 (or to the latest available) that addresses the XSS issue
  • If an upgrade is not immediately possible, disable or delete the plugin to eliminate the vulnerable code
  • Deploy a strong content‑security‑policy (CSP) and ensure all user input is properly sanitized to mitigate future cross‑site scripting

Generated by OpenCVE AI on May 2, 2026 at 03:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6635 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Random Image Selector allows Reflected XSS. This issue affects Random Image Selector: from n/a through 2.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Random Image Selector allows Reflected XSS. This issue affects Random Image Selector: from n/a through 2.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kdmurray Random Image Selector random-image-selector allows Reflected XSS.This issue affects Random Image Selector: from n/a through <= 2.4.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00047}

 epss

{'score': 0.00072}

Mon, 17 Mar 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 15 Mar 2025 22:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Random Image Selector allows Reflected XSS. This issue affects Random Image Selector: from n/a through 2.4.
Title WordPress Random Image Selector plugin <= 1.5.6 - Reflected Cross-Site Scripting vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:37.981Z

Reserved: 2025-02-12T13:58:25.801Z

Link: CVE-2025-26548

cve-icon Vulnrichment

Updated: 2025-03-17T16:50:50.286Z

cve-icon NVD

Status : Deferred

Published: 2025-03-15T22:15:12.933

Modified: 2026-04-23T15:25:47.100

Link: CVE-2025-26548

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T03:45:33Z

Weaknesses