CVE-2025-26573 - Vulnerability Details

- WordPress Rizzi Guestbook plugin <= 4.0.1 - Cross Site Scripting (XSS) vulnerability

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JamRizzi Technologies Rizzi Guestbook rizzi-guestbook allows Reflected XSS.This issue affects Rizzi Guestbook: from n/a through <= 4.0.1.

Published: 2025-03-26

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, allowing attackers to perform a reflected XSS attack against users viewing the Rizzi Guestbook plugin. This type of weakness (CWE‑79) can enable the injection of arbitrary JavaScript; an attacker could hijack user sessions, redirect users to malicious sites, or perform phishing campaigns on the victim’s domain.

Affected Systems

JamRizzi Technologies’ Rizzi Guestbook plugin is affected, specifically all releases through and including version 4.0.1.

Risk and Exploitability

The CVSS score of 7.1 places this flaw in the high‐severity range, yet the EPSS score of less than 1% indicates a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to craft a URL that includes unsanitized input to trigger the reflected XSS; no additional privileges or network access are required.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

JamRizzi Technologies

Rizzi Guestbook

unaffected

Version	Status	Constraints
`0`	affected	≤ 4.0.1

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the latest version of the Rizzi Guestbook plugin (4.0.2 or later) once it is available to address the XSS flaw.
If an upgrade is not immediately possible, disable or remove the plugin from the WordPress installation to eliminate the attack surface.
Implement an application‑level input filtering or use a Web Application Firewall to block reflected XSS payloads targeting the guestbook URLs.

Generated by OpenCVE AI on May 1, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-8167	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Rizzi Guestbook allows Reflected XSS. This issue affects Rizzi Guestbook: from n/a through 4.0.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00338.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/rizzi-guestbook/vulnerability/wordpress-rizzi-guestbook-plugin-4-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Rizzi Guestbook allows Reflected XSS. This issue affects Rizzi Guestbook: from n/a through 4.0.1.	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JamRizzi Technologies Rizzi Guestbook rizzi-guestbook allows Reflected XSS.This issue affects Rizzi Guestbook: from n/a through <= 4.0.1.
References	https://patchstack.com/database/wordpress/plugin/rizzi-guestbook/vulnerability/wordpress-rizzi-guestbook-plugin-4-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/rizzi-guestbook/vulnerability/wordpress-rizzi-guestbook-plugin-4-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Wed, 26 Mar 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 26 Mar 2025 14:45:00 +0000

Type	Values Removed	Values Added
Description		Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Rizzi Guestbook allows Reflected XSS. This issue affects Rizzi Guestbook: from n/a through 4.0.1.
Title		WordPress Rizzi Guestbook plugin <= 4.0.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses		CWE-79
References		https://patchstack.com/database/wordpress/plugin/rizzi-guestbook/vulnerability/wordpress-rizzi-guestbook-plugin-4-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-03-26T14:24:19.969Z

Updated: 2026-04-28T16:11:39.147Z

Reserved: 2025-02-12T13:58:47.896Z

Link: CVE-2025-26573

Vulnrichment

Updated: 2025-03-26T15:08:55.826Z

NVD

Status : Deferred

Published: 2025-03-26T15:16:11.040

Modified: 2026-06-17T09:02:02.890

Link: CVE-2025-26573

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T13:30:17Z

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object