Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VarDump s.r.l. Advanced Post Search advanced-post-search allows Reflected XSS.This issue affects Advanced Post Search: from n/a through <= 1.1.0.
Published: 2025-04-01
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Advanced Post Search plugin contains an Improper Neutralization of Input During Web Page Generation flaw that allows an attacker to inject malicious script code into search queries. When a query is reflected in the web page without proper escaping, the browser executes the script in the context of the site. This can enable an attacker to hijack user sessions, steal credentials, deface content or perform other malicious actions. The vulnerability is a classic input‑validation problem identified by CWE‑79.

Affected Systems

The affected product is VarDump s.r.l.'s Advanced Post Search plugin for WordPress. Versions up to and including 1.1.0 are vulnerable. All installations using these or earlier releases are susceptible, regardless of the underlying WordPress version.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, while the EPSS score of less than 1% suggests that exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the reflected XSS by supplying a crafted search query through the public web interface, typically via HTTP GET parameters. If a victim’s browser renders the malicious payload, the attack will succeed.

Generated by OpenCVE AI on May 1, 2026 at 02:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Advanced Post Search to the latest released version (troubleshoot any conflicts first).
  • If an update is unavailable or the plugin is not required, disable or uninstall it entirely from the site.
  • Modify the plugin’s code or use a WordPress security plugin to ensure all user input, especially the search query, is properly sanitized and escaped before outputting it to the page.
  • Consider implementing a web application firewall rule that blocks or sanitizes suspicious script payloads in search query parameters.

Generated by OpenCVE AI on May 1, 2026 at 02:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9123 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VarDump s.r.l. Advanced Post Search allows Reflected XSS. This issue affects Advanced Post Search: from n/a through 1.1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VarDump s.r.l. Advanced Post Search allows Reflected XSS. This issue affects Advanced Post Search: from n/a through 1.1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VarDump s.r.l. Advanced Post Search advanced-post-search allows Reflected XSS.This issue affects Advanced Post Search: from n/a through <= 1.1.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 01 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 05:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VarDump s.r.l. Advanced Post Search allows Reflected XSS. This issue affects Advanced Post Search: from n/a through 1.1.0.
Title WordPress Advanced Post Search plugin <= 1.1.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:53.714Z

Reserved: 2025-03-24T12:59:49.933Z

Link: CVE-2025-30548

cve-icon Vulnrichment

Updated: 2025-04-01T13:26:13.167Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T06:15:48.940

Modified: 2026-04-23T15:26:50.630

Link: CVE-2025-30548

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T03:00:08Z

Weaknesses