Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 BEAR woo-bulk-editor allows Stored XSS.This issue affects BEAR: from n/a through <= 1.1.4.4.
Published: 2025-02-17
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, which allows an attacker to inject arbitrary JavaScript that is subsequently saved in the database and executed in the browsers of users who view the affected content. The impact is that a malicious script could steal user credentials, deface the site, or compromise nearby systems through browser-based attack vectors. The weakness is identified as CWE‑79, which denotes a failure to properly validate or encode user-supplied data before rendering it in a web page.

Affected Systems

The affected product is RealMag777 BEAR, the WooCommerce Bulk Editor and Products Manager Professional plugin for WordPress. Versions from the initial release up through 1.1.4.4 are impacted, according to the vendor’s version range statement. Any WordPress site installing one of these versions is vulnerable, regardless of the WordPress core or theme version.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate security risk. The EPSS score of less than 1% suggests that the likelihood of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is via the plugin’s administrative interface, where an authenticated user can submit data that is not properly sanitized. Although an attacker would need write access to the plugin’s data store, the stored nature of the XSS means that once inserted, the payload can affect any visitor to the site. The modest severity and exploit probability should still prompt immediate patching to eliminate the risk of exploitation.

Generated by OpenCVE AI on May 1, 2026 at 16:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the BEAR plugin to version 1.1.4.5 or later, or to the latest release available from RealMag777.
  • If the plugin cannot be updated promptly, remove the BEAR plugin from the WordPress installation to prevent the XSS vector from being used.
  • After remediation, review the site for any saved malicious scripts, clear the database cache, and test that pages no longer render injected JavaScript.

Generated by OpenCVE AI on May 1, 2026 at 16:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4870 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 BEAR allows Stored XSS. This issue affects BEAR: from n/a through 1.1.4.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 BEAR allows Stored XSS. This issue affects BEAR: from n/a through 1.1.4.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 BEAR woo-bulk-editor allows Stored XSS.This issue affects BEAR: from n/a through <= 1.1.4.4.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00056}

 epss

{'score': 0.00025}

Wed, 19 Mar 2025 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Pluginus
Pluginus bear - Woocommerce Bulk Editor And Products Manager Professional
CPEs cpe:2.3:a:pluginus:bear_-_woocommerce_bulk_editor_and_products_manager_professional:*:*:*:*:*:wordpress:*:*
Vendors & Products Pluginus
Pluginus bear - Woocommerce Bulk Editor And Products Manager Professional

Tue, 18 Feb 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 17 Feb 2025 11:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 BEAR allows Stored XSS. This issue affects BEAR: from n/a through 1.1.4.4.
Title WordPress BEAR Plugin <= 1.1.4.4 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Pluginus Bear - Woocommerce Bulk Editor And Products Manager Professional
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:40.976Z

Reserved: 2025-02-14T06:53:43.229Z

Link: CVE-2025-26775

cve-icon Vulnrichment

Updated: 2025-02-18T15:09:05.272Z

cve-icon NVD

Status : Modified

Published: 2025-02-17T12:15:29.260

Modified: 2026-04-23T15:25:57.627

Link: CVE-2025-26775

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T16:15:20Z

Weaknesses