Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in regibaer Evangelische Termine evangtermine allows Reflected XSS.This issue affects Evangelische Termine: from n/a through <= 3.3.
Published: 2025-06-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an improper neutralization of input during page generation that enables reflected XSS. By submitting unsanitized data through the plugin’s input fields, an attacker can embed and execute arbitrary JavaScript in the rendered page, potentially compromising user sessions or delivering malicious content. The weakness is identified as CWE-79.

Affected Systems

The affected product is the WordPress plugin Evangelische Termine, version 3.3 and earlier, provided by the vendor regibaer. Users running any of these versions are susceptible to the flaw.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. The EPSS score of less than 1% suggests a low current likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be reflected XSS, meaning an attacker must lure a victim to visit a crafted link or submit a request that includes malicious input. Successful exploitation requires the victim’s browser to process the unsanitized content, leading to potential session hijacking or defacement.

Generated by OpenCVE AI on May 1, 2026 at 07:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for an updated version of the Evangelische Termine plugin and upgrade if a version newer than 3.3 is available.
  • If an update is not immediately available, temporarily disable the plugin’s input fields or limit access to trusted administrators to reduce the surface area for injection.
  • Perform a site‑wide scan for injected script tags and remove any malicious payloads that may have been previously inserted in page content.

Generated by OpenCVE AI on May 1, 2026 at 07:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19268 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in regibaer Evangelische Termine allows Reflected XSS. This issue affects Evangelische Termine: from n/a through 3.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in regibaer Evangelische Termine allows Reflected XSS. This issue affects Evangelische Termine: from n/a through 3.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in regibaer Evangelische Termine evangtermine allows Reflected XSS.This issue affects Evangelische Termine: from n/a through <= 3.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 27 Jun 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 12:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in regibaer Evangelische Termine allows Reflected XSS. This issue affects Evangelische Termine: from n/a through 3.3.
Title WordPress Evangelische Termine plugin <= 3.3 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:51.743Z

Reserved: 2025-03-11T08:10:19.510Z

Link: CVE-2025-28960

cve-icon Vulnrichment

Updated: 2025-06-27T13:04:19.502Z

cve-icon NVD

Status : Deferred

Published: 2025-06-27T12:15:32.473

Modified: 2026-06-17T09:04:57.570

Link: CVE-2025-28960

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:30:11Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')