Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in takumin WP Simple Slideshow wp-simple-slideshow allows Reflected XSS.This issue affects WP Simple Slideshow: from n/a through <= 1.0.
Published: 2025-03-26
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected XSS flaw in the WP Simple Slideshow plugin for WordPress. Improper neutralization of input during web page generation allows an attacker to inject arbitrary script that executes in the browser of visitors who view a crafted page or click a malicious link. This is a CWE‑79 weakness, which can lead to session hijacking, credential theft, defacement, or delivering additional malware. The plugin versions through 1.0 are affected.

Affected Systems

The affected product is the WP Simple Slideshow plugin developed by takumin, part of the WordPress ecosystem. Any WordPress installation that has this plugin installed and running a version 1.0 or older is susceptible.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity vulnerability. The EPSS score of less than 1% suggests a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Attackers can abuse the flaw through normal web requests, typically by embedding malicious scripts in query parameters that the plugin reflects back in the page. Victims must be tricked into visiting a crafted URL, so the risk is primarily to users who interact with an affected site. No special privileges or network conditions are required beyond the ability to craft a URL.

Generated by OpenCVE AI on May 1, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Simple Slideshow to the latest available release that contains the XSS fix, or uninstall the plugin if it is no longer required.
  • Ensure that any remaining user input handled by the plugin is properly sanitized or escaped before output, applying WordPress functions such as esc_html() or esc_url().
  • Deploy a web application firewall or a security plugin that filters out known XSS payloads and blocks malicious script injection attempts.
  • Monitor site activity and review security logs for attempts to inject malicious scripts, and keep the WordPress core and other plugins up to date to mitigate other vulnerabilities.

Generated by OpenCVE AI on May 1, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8165 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in takumin WP Simple Slideshow allows Reflected XSS. This issue affects WP Simple Slideshow: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in takumin WP Simple Slideshow allows Reflected XSS. This issue affects WP Simple Slideshow: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in takumin WP Simple Slideshow wp-simple-slideshow allows Reflected XSS.This issue affects WP Simple Slideshow: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 26 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 26 Mar 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in takumin WP Simple Slideshow allows Reflected XSS. This issue affects WP Simple Slideshow: from n/a through 1.0.
Title WordPress WP Simple Slideshow Plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:39.009Z

Reserved: 2025-02-12T13:58:55.638Z

Link: CVE-2025-26576

cve-icon Vulnrichment

Updated: 2025-03-26T15:08:11.231Z

cve-icon NVD

Status : Deferred

Published: 2025-03-26T15:16:11.363

Modified: 2026-06-17T09:02:03.183

Link: CVE-2025-26576

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T13:30:17Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')