Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in oooorgle Quotes llama quotes-llama allows DOM-Based XSS.This issue affects Quotes llama: from n/a through <= 3.1.0.
Published: 2025-03-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a malicious actor to inject and execute arbitrary JavaScript in the victim's browser because the Quotes llama plugin fails to neutralize user input during page generation. This is a DOM‑based XSS flaw (CWE‑79) that can lead to data theft, session hijacking or deceptive content injection, compromising confidentiality, integrity, or availability of the affected site.

Affected Systems

The vulnerability exists in the oooorgle Quotes llama plugin for WordPress. It affects all releases up to and including version 3.1.0. No specific sub‑versions are listed beyond that ceiling.

Risk and Exploitability

The CVSS score of 6.5 classifies the flaw as moderate. The EPSS score of less than 1% suggests a low but non‑zero likelihood of exploitation, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is a crafted request or user input that causes the plugin to render unsanitized data into the DOM, enabling an attacker to deliver malicious scripts to users who access the affected page.

Generated by OpenCVE AI on May 1, 2026 at 04:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Quotes llama plugin to the latest version (≥3.2.0) to remove the XSS flaw.
  • If an upgrade is not immediately possible, disable the plugin to eliminate the risk until a fix is applied.
  • As a temporary workaround, enforce strict input sanitization on all content rendered by the plugin or use a site‑wide content filter to strip potentially malicious script tags.

Generated by OpenCVE AI on May 1, 2026 at 04:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8393 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in oooorgle Quotes llama allows DOM-Based XSS. This issue affects Quotes llama: from n/a through 3.1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in oooorgle Quotes llama allows DOM-Based XSS. This issue affects Quotes llama: from n/a through 3.1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in oooorgle Quotes llama quotes-llama allows DOM-Based XSS.This issue affects Quotes llama: from n/a through <= 3.1.0.
Title WordPress Quotes llama <= 3.1.0 - Cross Site Scripting (XSS) Vulnerability WordPress Quotes llama plugin <= 3.1.0 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Thu, 27 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in oooorgle Quotes llama allows DOM-Based XSS. This issue affects Quotes llama: from n/a through 3.1.0.
Title WordPress Quotes llama <= 3.1.0 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:57.297Z

Reserved: 2025-03-26T09:20:11.232Z

Link: CVE-2025-30786

cve-icon Vulnrichment

Updated: 2025-03-27T13:59:29.380Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T11:15:39.833

Modified: 2026-04-23T15:27:04.037

Link: CVE-2025-30786

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T04:15:08Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')