Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wptobe Wptobe-signinup wptobe-signinup allows Reflected XSS.This issue affects Wptobe-signinup: from n/a through <= 1.1.2.
Published: 2025-04-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an instance of Improper Neutralization of Input During Web Page Generation, classified as CWE‑79. The insecure handling of user‑supplied data allows an attacker to inject malicious scripts that are reflected in the webpage response. Such scripts can be executed in the context of the victim’s browser, enabling cookie theft, session hijacking, defacement, or other client‑side attacks.

Affected Systems

WordPress installations that have the Wptobe‑signinup plugin (wptobe:Wptobe‑signinup) version 1.1.2 or earlier are affected. The vulnerability exists throughout the listed range from an undefined initial revision up to and including version 1.1.2.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, while an EPSS score of less than 1% suggests a low probability of active exploitation in the near term. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to craft a URL or input that the plugin reflects in the page output, forcing the victim to visit the malicious link or otherwise trigger the payload. The attack vector is therefore reflected XSS, typically achieved through social engineering or compromised intermediaries.

Generated by OpenCVE AI on May 1, 2026 at 01:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Wptobe‑signinup plugin to a version newer than 1.1.2.
  • If an upgrade is not immediately possible, disable or remove the vulnerable plugin from the WordPress installation.
  • Ensure that all user inputs processed by the plugin are properly escaped or sanitized using WordPress functions such as wp_kses before being output to the page.

Generated by OpenCVE AI on May 1, 2026 at 01:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14797 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Wptobe-signinup allows Reflected XSS. This issue affects Wptobe-signinup: from n/a through 1.1.2.
History

Thu, 23 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Wptobe-signinup allows Reflected XSS. This issue affects Wptobe-signinup: from n/a through 1.1.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wptobe Wptobe-signinup wptobe-signinup allows Reflected XSS.This issue affects Wptobe-signinup: from n/a through <= 1.1.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 03 Apr 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Wptobe-signinup allows Reflected XSS. This issue affects Wptobe-signinup: from n/a through 1.1.2.
Title WordPress Wptobe-signinup plugin <= 1.1.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:55.710Z

Reserved: 2025-03-24T13:00:47.777Z

Link: CVE-2025-30611

cve-icon Vulnrichment

Updated: 2025-04-03T14:59:29.055Z

cve-icon NVD

Status : Deferred

Published: 2025-04-03T14:15:33.640

Modified: 2026-04-23T15:26:58.157

Link: CVE-2025-30611

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:15:05Z

Weaknesses