Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cristopher Dino IE CSS3 Support ie-css3-support allows Reflected XSS.This issue affects IE CSS3 Support: from n/a through <= 2.0.1.
Published: 2025-03-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The IE CSS3 Support plugin for WordPress includes an improper neutralization of input during page generation, leading to a reflected cross‑site scripting vulnerability. An attacker could supply crafted input via a URL or form that the plugin does not sanitize, resulting in the execution of malicious scripts in the context of users who view the affected page.

Affected Systems

Vulnerable installations are WordPress sites that currently use the CI, Dino IE CSS3 Support plugin version 2.0.1 or earlier. The patch set was informed by the vendor only up to version 2.0.1, with no stable release beyond that stated.

Risk and Exploitability

The CVSS score of 7.1 categorizes this flaw as high‑severity. The EPSS score of less than 1% indicates a low but non‑zero probability that exploitation is occurring in the wild, and it is not listed in the CISA KEV catalog. Because it is a reflected XSS, an attacker would need to lure a victim to a crafted URL or supply input to a form that invokes the plugin, then wait for the victim’s browser to render the response. This can lead to defacement, cookie theft, or credential phishing and is generally considered a high‑impact threat that can be mitigated by vendor support or by disabling the plugin.

Generated by OpenCVE AI on May 1, 2026 at 14:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the IE CSS3 Support plugin to the latest available version, or uninstall it if no newer release exists.
  • If an update is not possible, disable the plugin to prevent reflected XSS payloads from reaching users.
  • Deploy a Web Application Firewall rule that blocks suspicious script payloads or enforces output encoding on the WordPress site.

Generated by OpenCVE AI on May 1, 2026 at 14:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5610 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound IE CSS3 Support allows Reflected XSS. This issue affects IE CSS3 Support: from n/a through 2.0.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound IE CSS3 Support allows Reflected XSS. This issue affects IE CSS3 Support: from n/a through 2.0.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cristopher Dino IE CSS3 Support ie-css3-support allows Reflected XSS.This issue affects IE CSS3 Support: from n/a through <= 2.0.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound IE CSS3 Support allows Reflected XSS. This issue affects IE CSS3 Support: from n/a through 2.0.1.
Title WordPress IE CSS3 Support Plugin <= 2.0.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:39.358Z

Reserved: 2025-02-12T13:59:03.606Z

Link: CVE-2025-26589

cve-icon Vulnrichment

Updated: 2025-03-03T15:36:59.729Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:56.067

Modified: 2026-06-17T09:02:04.440

Link: CVE-2025-26589

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:30:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')