Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ollybach WPPizza wppizza allows Reflected XSS.This issue affects WPPizza: from n/a through <= 3.19.4.
Published: 2025-02-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an instance of Improper Neutralization of Input During Web Page Generation. The WPPizza plugin fails to escape user controlled data before displaying it, allowing attackers to inject and execute arbitrary JavaScript in the context of the affected WordPress site. Compromise of the site could enable session hijacking, defacement, or phishing attacks directed at visitors or administrators.

Affected Systems

The flaw affects the WordPress plugin named WPPizza published by ollybach. Versions from the first release through 3.19.4 are vulnerable; any released version at or prior to that point is exposed.

Risk and Exploitability

The CVSS score of 7.1 reflects a high severity due to the potential for widespread impact, while the EPSS score of less than 1% indicates a low likelihood that the vulnerability will be actively exploited now. The flaw is not listed in the CISA KEV catalog. The attack vector can be inferred to be reflected, involving crafted URLs or form inputs that are echoed back to the browser without proper sanitization, which means any visitor to a vulnerable page could trigger the payload. Without authentication requirements, this represents a straightforward exploit path for malicious actors.

Generated by OpenCVE AI on May 1, 2026 at 15:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WPPizza plugin to the latest version published after 3.19.4
  • If an update is not immediately possible, temporarily disable or remove the plugin from the site
  • Apply WordPress’s wp_kses or esc_* output sanitization functions to relevant plugin outputs, or enforce a Content Security Policy to mitigate script execution

Generated by OpenCVE AI on May 1, 2026 at 15:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5420 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ollybach WPPizza allows Reflected XSS. This issue affects WPPizza: from n/a through 3.19.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ollybach WPPizza allows Reflected XSS. This issue affects WPPizza: from n/a through 3.19.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ollybach WPPizza wppizza allows Reflected XSS.This issue affects WPPizza: from n/a through <= 3.19.4.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 25 Feb 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 25 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ollybach WPPizza allows Reflected XSS. This issue affects WPPizza: from n/a through 3.19.4.
Title WordPress WPPizza plugin <= 3.19.4 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:46.051Z

Reserved: 2025-02-17T11:51:57.195Z

Link: CVE-2025-26991

cve-icon Vulnrichment

Updated: 2025-02-25T17:01:00.827Z

cve-icon NVD

Status : Deferred

Published: 2025-02-25T15:15:31.460

Modified: 2026-04-23T15:26:12.217

Link: CVE-2025-26991

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T15:15:20Z

Weaknesses