Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins Business Card Block business-card-block allows Stored XSS.This issue affects Business Card Block: from n/a through <= 1.0.5.
Published: 2025-02-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Business Card Block plugin version 1.0.5 and earlier contains a stored cross‑site scripting flaw that allows attackers to inject malicious JavaScript into the plugin’s stored content. The injected code is rendered when another user views the content, enabling session hijacking, data theft, or defacement. This weakness is classified as CWE‑79.

Affected Systems

Any WordPress installation that has the bPlugins Business Card Block plugin installed in a version up to and including 1.0.5 is affected. No specific operating system or PHP version prerequisites are indicated.

Risk and Exploitability

The vulnerability is rated medium with a CVSS score of 6.5. The EPSS score is below 1 %, suggesting a low likelihood of active exploitation, and the flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that attacks likely exploit the flaw by submitting malicious content through the plugin’s input interface, either via authenticated or unauthenticated access depending on how the site is configured. No official patch or workaround is noted in the source data.

Generated by OpenCVE AI on May 2, 2026 at 04:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Business Card Block plugin to a version newer than 1.0.5
  • If upgrading is not immediately possible, remove or disable any input fields that allow user‑supplied content in the plugin or apply strict sanitization to those fields
  • Continuously monitor the site’s logs and user‑generated content for unexpected JavaScript injections

Generated by OpenCVE AI on May 2, 2026 at 04:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5408 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins Business Card Block allows Stored XSS. This issue affects Business Card Block: from n/a through 1.0.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins Business Card Block allows Stored XSS. This issue affects Business Card Block: from n/a through 1.0.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins Business Card Block business-card-block allows Stored XSS.This issue affects Business Card Block: from n/a through <= 1.0.5.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 25 Feb 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 25 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins Business Card Block allows Stored XSS. This issue affects Business Card Block: from n/a through 1.0.5.
Title WordPress Business Card Block plugin <= 1.0.5 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:44.803Z

Reserved: 2025-02-17T11:51:26.569Z

Link: CVE-2025-26952

cve-icon Vulnrichment

Updated: 2025-02-25T17:14:47.356Z

cve-icon NVD

Status : Deferred

Published: 2025-02-25T15:15:28.870

Modified: 2026-06-17T09:02:39.490

Link: CVE-2025-26952

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T04:15:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')