Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PoppinsDigital.com WPYog Documents wpyog-documents allows Reflected XSS.This issue affects WPYog Documents: from n/a through <= 1.3.5.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user-supplied input during web page generation in the WPYog Documents plugin (versions 1.3.5 and earlier) allows attackers to inject malicious scripts that are reflected back to the visitor. These scripts execute with the privileges of the page, enabling an attacker to steal session data, deface content, or redirect users to phishing sites. The vulnerability is a standard reflected XSS, classified under CWE‑79.

Affected Systems

The vulnerability affects the WordPress WPYog Documents plugin supplied by PoppinsDigital.com. Versions from the initial release through 1.3.5 are impacted. All installations of this plugin running those releases are potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact if exploited, while the EPSS score of less than 1% suggests a low likelihood of automated exploitation at this time. The plugin is not listed in the CISA KEV catalog. Exploitation can occur when a remote user is tricked into visiting a crafted URL or a maliciously composed form submission that the vulnerable plugin echoes back to the page.

Generated by OpenCVE AI on May 1, 2026 at 09:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WPYog Documents plugin to the latest released version (≥1.3.6) provided by PoppinsDigital.com.
  • If an update is not immediately available, deactivate or remove the plugin until a patch or secure workaround is released.
  • Verify that any user-generated fields handled by the plugin are properly sanitized or escaped before output to mitigate potential XSS risks.

Generated by OpenCVE AI on May 1, 2026 at 09:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11625 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPyog WPYog Documents allows Reflected XSS. This issue affects WPYog Documents: from n/a through 1.3.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPyog WPYog Documents allows Reflected XSS. This issue affects WPYog Documents: from n/a through 1.3.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PoppinsDigital.com WPYog Documents wpyog-documents allows Reflected XSS.This issue affects WPYog Documents: from n/a through <= 1.3.5.
Title WordPress WPYog Documents Plugin <= 1.3.3 - Reflected Cross Site Scripting (XSS) vulnerability WordPress WPYog Documents Plugin <= 1.3.5 - Reflected Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPyog WPYog Documents allows Reflected XSS. This issue affects WPYog Documents: from n/a through 1.3.3.
Title WordPress WPYog Documents Plugin <= 1.3.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:47.147Z

Reserved: 2025-02-21T16:45:19.170Z

Link: CVE-2025-27292

cve-icon Vulnrichment

Updated: 2025-04-17T17:44:17.143Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:35.933

Modified: 2026-06-17T09:03:20.933

Link: CVE-2025-27292

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:45:07Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')