Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gal_op WP Responsive Auto Fit Text wp-responsive-slab-text allows DOM-Based XSS.This issue affects WP Responsive Auto Fit Text: from n/a through <= 0.2.
Published: 2025-02-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, leading to a DOM‑Based XSS flaw. An attacker can inject malicious JavaScript that will execute in the browser context of any user who views a page rendered by the WP Responsive Auto Fit Text plugin. This allows the attacker to hijack sessions, steal credentials, or modify the page content, thereby compromising confidentiality, integrity and availability of the affected site.

Affected Systems

WordPress installations that use the WP Responsive Auto Fit Text plugin version 0.2 or earlier are affected. The plugin is available from the WordPress plugin repository and is integrated into the WordPress editor as an add‑on for responsive text scaling.

Risk and Exploitability

The CVSS base score of 6.5 indicates a moderate severity. The EPSS score of less than 1% suggests that the probability of exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is user‑initiated interaction: an attacker injects code into a field that the plugin renders into the page’s DOM. If the vulnerable plugin is activated, any visitor to the site would execute the attacker‑controlled script.

Generated by OpenCVE AI on May 1, 2026 at 15:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest version of the WP Responsive Auto Fit Text plugin that addresses the XSS issue (currently available as version 0.3 or later).
  • If an update is not yet available, immediately deactivate or uninstall the plugin so that no attacker can inject code via it.
  • As a temporary workaround, ensure that any content managed by the plugin is properly sanitized or use an alternative plugin that escapes output.

Generated by OpenCVE AI on May 1, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5387 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gal_op WP Responsive Auto Fit Text allows DOM-Based XSS. This issue affects WP Responsive Auto Fit Text: from n/a through 0.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gal_op WP Responsive Auto Fit Text allows DOM-Based XSS. This issue affects WP Responsive Auto Fit Text: from n/a through 0.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gal_op WP Responsive Auto Fit Text wp-responsive-slab-text allows DOM-Based XSS.This issue affects WP Responsive Auto Fit Text: from n/a through <= 0.2.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 25 Feb 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 25 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gal_op WP Responsive Auto Fit Text allows DOM-Based XSS. This issue affects WP Responsive Auto Fit Text: from n/a through 0.2.
Title WordPress WP Responsive Auto Fit Text plugin <= 0.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:43.802Z

Reserved: 2025-02-17T11:50:42.823Z

Link: CVE-2025-26904

cve-icon Vulnrichment

Updated: 2025-02-25T19:08:22.123Z

cve-icon NVD

Status : Deferred

Published: 2025-02-25T15:15:25.990

Modified: 2026-06-17T09:02:34.787

Link: CVE-2025-26904

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T15:30:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')