Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Thorsten Ott Debug-Bar-Extender debug-bar-extender allows Reflected XSS.This issue affects Debug-Bar-Extender: from n/a through <= 0.5.
Published: 2025-03-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Thorsten Ott’s Debug‑Bar‑Extender plugin for WordPress contains an improper neutralization of input during web page generation, allowing attackers to inject arbitrary JavaScript via unsanitized query parameters. The flaw manifests as a reflected cross‑site scripting vulnerability, meaning users who view a maliciously crafted URL can have unintended scripts executed in their browser. This can lead to session hijacking, cookie theft, or malicious content injection if not mitigated.

Affected Systems

The vulnerability impacts WordPress sites that have the Debug‑Bar‑Extender plugin version 0.5 or earlier installed. Sites that enable the plugin expose any user that navigates to the site’s URLs to the risk of reflected XSS.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, yet the EPSS score is below 1%, suggesting a low exploitation probability so far. The flaw is not listed in the CISA KEV catalog. The likely attack vector is remote exploitation via a crafted link, requiring no authentication but relying on victims to open or click the malicious URL. If a user befriends such a link through phishing or malicious advertisement, the injected script would run with the user’s privileges.

Generated by OpenCVE AI on May 1, 2026 at 13:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Debug‑Bar‑Extender plugin to the latest available version, or uninstall it if a newer release is not available.
  • If the plugin cannot be upgraded immediately, disable or remove it from the site to eliminate the XSS surface.
  • Deploy a web application firewall rule to reject or sanitize the vulnerable query parameters and block inline script execution.

Generated by OpenCVE AI on May 1, 2026 at 13:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6643 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Debug-Bar-Extender allows Reflected XSS. This issue affects Debug-Bar-Extender: from n/a through 0.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Debug-Bar-Extender allows Reflected XSS. This issue affects Debug-Bar-Extender: from n/a through 0.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Thorsten Ott Debug-Bar-Extender debug-bar-extender allows Reflected XSS.This issue affects Debug-Bar-Extender: from n/a through <= 0.5.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00047}

 epss

{'score': 0.00072}

Mon, 17 Mar 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 15 Mar 2025 22:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Debug-Bar-Extender allows Reflected XSS. This issue affects Debug-Bar-Extender: from n/a through 0.5.
Title WordPress Debug-Bar-Extender Plugin <= 0.5 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:38.452Z

Reserved: 2025-02-12T13:58:39.276Z

Link: CVE-2025-26555

cve-icon Vulnrichment

Updated: 2025-03-17T16:12:51.363Z

cve-icon NVD

Status : Deferred

Published: 2025-03-15T22:15:13.413

Modified: 2026-04-23T15:25:47.957

Link: CVE-2025-26555

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:00:15Z

Weaknesses