Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in lynk Flashfader flashfader allows Reflected XSS.This issue affects Flashfader: from n/a through <= 1.1.1.
Published: 2025-03-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Flashfader plugin for WordPress contains an improper neutralization of input during web page generation, allowing reflected XSS. A malicious attacker can craft a request that injects JavaScript into the plugin’s output, executing code in the context of a victim’s browser when the page is rendered. This flaw can lead to theft of session cookies, credential hijacking, defacement, or delivery of malware to users who visit the affected URL. The weakness is a classic input validation failure identified as CWE‑79.

Affected Systems

WordPress installations employing the Flashfader plugin with any version from the earliest released build through 1.1.1 are at risk. The affected vendor is lynk, and the product is the Flashfader plugin.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity level, while the EPSS score of less than 1 % suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only a crafted URL or form input that is reflected back to the user’s browser, making it readily exploitable by anyone with access to the site. Because no authentication or privilege escalation is required, the impact can be global to all visitors of the site.

Generated by OpenCVE AI on May 1, 2026 at 14:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Flashfader plugin to version 1.1.2 or later to remove the reflected XSS flaw.
  • If an immediate upgrade is not possible, de‑activate the plugin or remove its code from the WordPress installation to prevent the vulnerable handler from executing.
  • Apply input sanitization on any custom parameters that the plugin echoes to the page, ensuring that special characters are properly escaped or filtered.

Generated by OpenCVE AI on May 1, 2026 at 14:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5601 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Flashfader allows Reflected XSS. This issue affects Flashfader: from n/a through 1.1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Flashfader allows Reflected XSS. This issue affects Flashfader: from n/a through 1.1.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in lynk Flashfader flashfader allows Reflected XSS.This issue affects Flashfader: from n/a through <= 1.1.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 03 Apr 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Flashfader allows Reflected XSS. This issue affects Flashfader: from n/a through 1.1.1.
Title WordPress Flashfader Plugin <= 1.1.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:46.939Z

Reserved: 2025-02-21T16:45:10.729Z

Link: CVE-2025-27279

cve-icon Vulnrichment

Updated: 2025-03-03T15:13:59.813Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:59.373

Modified: 2026-06-17T09:03:19.683

Link: CVE-2025-27279

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:15:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')