Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jwpegram Block Spam By Math Reloaded block-spam-by-math-reloaded allows Stored XSS.This issue affects Block Spam By Math Reloaded: from n/a through <= 2.2.4.
Published: 2025-03-11
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin contains improper neutralization of input during web page generation, allowing stored cross‑site scripting. Malicious payloads entered via the plugin’s input can be persisted in the site’s content or settings and later rendered in the browser, potentially enabling attackers to execute arbitrary JavaScript. This can lead to cookie theft, session hijacking, defacement, or redirection for a victim who visits the affected page.

Affected Systems

WordPress sites that have the Block Spam By Math Reloaded plugin installed, any version from the initial release through and including 2.2.4, are vulnerable. Site administrators should verify the plugin version and whether it remains within that vulnerable range. All hosted WordPress instances that load the plugin into public pages are at risk.

Risk and Exploitability

The CVSS score of 5.9 classifies the vulnerability as medium severity, while the EPSS score indicates a very low but non‑zero likelihood of exploitation at this time. The issue is not listed in the CISA KEV catalog, which suggests that publicly known exploits are either not yet observed or not yet reported. Attackers can exploit the flaw by injecting a malicious script into the plugin’s input fields; when a visitor loads the affected page the script runs in the context of the site, allowing the attacker to gather session data or perform other client‑side attacks.

Generated by OpenCVE AI on May 1, 2026 at 14:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Block Spam By Math Reloaded plugin to the latest version or apply the vendor’s official patch.
  • Disable or remove the Block Spam By Math Reloaded plugin from the WordPress installation if an update is not available or not timely.
  • Tighten site permissions for the plugin’s configuration section and review existing content for any stored scripts, removing or sanitizing them.

Generated by OpenCVE AI on May 1, 2026 at 14:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7839 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jwpegram Block Spam By Math Reloaded allows Stored XSS. This issue affects Block Spam By Math Reloaded: from n/a through 2.2.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jwpegram Block Spam By Math Reloaded allows Stored XSS. This issue affects Block Spam By Math Reloaded: from n/a through 2.2.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jwpegram Block Spam By Math Reloaded block-spam-by-math-reloaded allows Stored XSS.This issue affects Block Spam By Math Reloaded: from n/a through <= 2.2.4.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00038}

 epss

{'score': 0.00054}

Mon, 17 Mar 2025 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Jwpegram
Jwpegram block Spam By Math Reloaded
CPEs cpe:2.3:a:jwpegram:block_spam_by_math_reloaded:*:*:*:*:*:wordpress:*:*
Vendors & Products Jwpegram
Jwpegram block Spam By Math Reloaded

Wed, 12 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 11 Mar 2025 21:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jwpegram Block Spam By Math Reloaded allows Stored XSS. This issue affects Block Spam By Math Reloaded: from n/a through 2.2.4.
Title WordPress Block Spam By Math Reloaded plugin <= 2.2.4 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Jwpegram Block Spam By Math Reloaded
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:49.516Z

Reserved: 2025-03-11T08:08:49.775Z

Link: CVE-2025-28871

cve-icon Vulnrichment

Updated: 2025-03-12T13:45:35.732Z

cve-icon NVD

Status : Modified

Published: 2025-03-11T21:15:44.600

Modified: 2026-06-17T09:04:48.093

Link: CVE-2025-28871

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:15:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')