Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in divspark Flagged Content flagged-content allows Reflected XSS.This issue affects Flagged Content: from n/a through <= 1.0.2.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of user-supplied input during page rendering in the DivSpark Flagged Content WordPress plugin, allowing an attacker to inject malicious scripts that execute in the victim’s browser when a crafted URL is visited. This reflected XSS can be used to steal session cookies, deface content, or launch phishing attacks against site users, and it maps to CWE‑79.

Affected Systems

All WordPress sites that have installed DivSpark’s Flagged Content plugin version 1.0.2 or earlier are affected. Any installation using these versions of the plugin is vulnerable, regardless of other plugins or theme versions.

Risk and Exploitability

The CVSS base score of 7.1 indicates high impact on confidentiality and integrity. The EPSS score of less than 1 % shows exploitation probability is very low but still present, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw simply by persuading a user to click a malicious link; no special authentication or privilege escalation is required.

Generated by OpenCVE AI on May 1, 2026 at 09:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Flagged Content plugin to the latest version released after 1.0.2.
  • If an update is not yet available, remove or disable the plugin until a patch is released.
  • Ensure that WordPress core and all other plugins are kept current to reduce the risk of related vulnerabilities.
  • Optionally deploy a web application firewall that blocks reflected XSS patterns as a temporary defense.

Generated by OpenCVE AI on May 1, 2026 at 09:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11618 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in divspark Flagged Content allows Reflected XSS. This issue affects Flagged Content: from n/a through 1.0.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in divspark Flagged Content allows Reflected XSS. This issue affects Flagged Content: from n/a through 1.0.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in divspark Flagged Content flagged-content allows Reflected XSS.This issue affects Flagged Content: from n/a through <= 1.0.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in divspark Flagged Content allows Reflected XSS. This issue affects Flagged Content: from n/a through 1.0.2.
Title WordPress Flagged Content Plugin <= 1.0.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:47.333Z

Reserved: 2025-02-21T16:45:19.169Z

Link: CVE-2025-27284

cve-icon Vulnrichment

Updated: 2025-04-17T17:43:59.968Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:35.010

Modified: 2026-06-17T09:03:20.163

Link: CVE-2025-27284

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:45:07Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')