Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alobaidi Archive Page archive-page allows DOM-Based XSS.This issue affects Archive Page: from n/a through <= 1.0.2.
Published: 2025-02-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a DOM‑based cross‑site scripting flaw that allows an attacker to inject and execute arbitrary JavaScript in the browser of visitors who load the affected private archive pages. The injection can lead to session cookie theft, defacement of the site, or redirection to malicious sites, thereby compromising user confidentiality and integrity of the site’s displayed content.

Affected Systems

The flaw affects the WordPress plugin "Archive Page" developed by Alobaidi, specifically versions up to and including 1.0.2. Any WordPress installation that has this plugin in use and has not been upgraded to a later release is vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate impact, while the EPSS score of less than 1% suggests that exploitation is expected to be rare at the moment. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this flaw by convincing a victim to visit a crafted URL that includes malicious input, which will be executed in the victim’s browser when the page loads. Because it is a DOM‑based flaw, the attack requires user interaction but does not require further network privileges or server access.

Generated by OpenCVE AI on May 1, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Archive Page plugin to the latest version that contains the XSS fix if one is available.
  • If an update is not immediately possible, temporarily deactivate the plugin until a patch can be released or applied.
  • As a last resort, modify the plugin’s source to sanitize or escape all user‑supplied input before it is rendered in the page to eliminate the DOM‑based XSS vector.

Generated by OpenCVE AI on May 1, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4356 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alobaidi Archive Page allows DOM-Based XSS. This issue affects Archive Page: from n/a through 1.0.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alobaidi Archive Page allows DOM-Based XSS. This issue affects Archive Page: from n/a through 1.0.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alobaidi Archive Page archive-page allows DOM-Based XSS.This issue affects Archive Page: from n/a through <= 1.0.2.
Title WordPress Archive Page plugin <= 1.0.1 - Cross Site Scripting (XSS) vulnerability WordPress Archive Page plugin <= 1.0.2 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 24 Feb 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Feb 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alobaidi Archive Page allows DOM-Based XSS. This issue affects Archive Page: from n/a through 1.0.1.
Title WordPress Archive Page plugin <= 1.0.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:46.944Z

Reserved: 2025-02-21T16:45:10.729Z

Link: CVE-2025-27280

cve-icon Vulnrichment

Updated: 2025-02-24T16:26:54.989Z

cve-icon NVD

Status : Deferred

Published: 2025-02-24T15:15:15.007

Modified: 2026-06-17T09:03:19.780

Link: CVE-2025-27280

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T16:00:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')