Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BjornW File Icons file-icons allows Reflected XSS.This issue affects File Icons: from n/a through <= 2.1.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an improper neutralization of input during web page generation, allowing an attacker to inject malicious code that is reflected back to the user’s browser. This flaw can lead to the execution of arbitrary scripts, enabling attackers to steal session cookies, deface pages, or launch further attacks. The vulnerability is a classic XSS (CWE‑79) that compromises confidentiality and integrity of the affected user’s session.

Affected Systems

All installations of BjornW File Icons plugin with versions up to and including 2.1 are vulnerable. Users who run any of these versions should consider their plugin installation an affected system.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, while the EPSS score of less than 1 % suggests a low probability of widespread exploitation. The vulnerability is not listed in CISA’s KEV catalog, but attackers could still leverage it by crafting a malicious URL that includes the vulnerable parameter. When visited, the script runs in the user’s browser, potentially compromising account data and enabling further compromise. Risk is moderate to high for users who do not protect themselves with additional controls.

Generated by OpenCVE AI on May 1, 2026 at 09:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the File Icons plugin to version 2.2 or later.
  • If upgrading is not immediately possible, silence or remove the affected input parameters and validate all user input to prevent script injection.
  • Enable a web application firewall to detect and block malicious script payloads before they reach the browser.

Generated by OpenCVE AI on May 1, 2026 at 09:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11622 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BjornW File Icons allows Reflected XSS. This issue affects File Icons: from n/a through 2.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BjornW File Icons allows Reflected XSS. This issue affects File Icons: from n/a through 2.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BjornW File Icons file-icons allows Reflected XSS.This issue affects File Icons: from n/a through <= 2.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BjornW File Icons allows Reflected XSS. This issue affects File Icons: from n/a through 2.1.
Title WordPress File Icons Plugin <= 2.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:46.987Z

Reserved: 2025-02-21T16:45:19.170Z

Link: CVE-2025-27288

cve-icon Vulnrichment

Updated: 2025-04-17T17:44:06.628Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:35.533

Modified: 2026-06-17T09:03:20.543

Link: CVE-2025-27288

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:45:07Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')