Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saleswonder Team: Tobias WP2LEADS wp2leads allows Reflected XSS.This issue affects WP2LEADS: from n/a through <= 3.4.5.
Published: 2025-04-01
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an instance of improper neutralization of input during web page generation, also known as a reflected Cross‑Site Scripting (XSS) flaw in the WordPress WP2LEADS plugin. It permits an attacker to embed malicious scripts into URLs or form fields that are subsequently reflected back to a user’s browser. The injected scripts can run in the victim’s browser context whenever the crafted content is rendered.

Affected Systems

The flaw affects the WordPress WP2LEADS plugin produced by Saleswonder Team: Tobias. All releases up to and including version 3.4.5 are vulnerable. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity for this reflected XSS vulnerability. The EPSS score of less than 1 % suggests a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw involves client‑side input that is reflected in a server response, an attacker it by supplying crafted input—such as a malicious URL or form submission—to a user who visits or interacts with the affected page. The vulnerability does not require privileged access to the server or database; it is exercised through the user’s browser session.

Generated by OpenCVE AI on May 2, 2026 at 08:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the plugin’s official website or repository for a newer release that addresses the XSS vulnerability, and upgrade the WP2LEADS plugin to that version.
  • If a patched version is not yet available, disable or remove the WP2LEADS plugin to eliminate the reflected XSS risk until a fix can be applied.
  • Implement or configure a web application firewall to block or filter reflected XSS payloads, providing a temporary protection layer until the plugin is patched or removed.

Generated by OpenCVE AI on May 2, 2026 at 08:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9090 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saleswonder Team Tobias WP2LEADS allows Reflected XSS. This issue affects WP2LEADS: from n/a through 3.4.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saleswonder Team Tobias WP2LEADS allows Reflected XSS. This issue affects WP2LEADS: from n/a through 3.4.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saleswonder Team: Tobias WP2LEADS wp2leads allows Reflected XSS.This issue affects WP2LEADS: from n/a through <= 3.4.5.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 01 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 05:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saleswonder Team Tobias WP2LEADS allows Reflected XSS. This issue affects WP2LEADS: from n/a through 3.4.5.
Title WordPress WP2LEADS plugin <= 3.4.5 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:58.350Z

Reserved: 2025-03-26T09:20:39.457Z

Link: CVE-2025-30827

cve-icon Vulnrichment

Updated: 2025-04-01T13:15:15.617Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T06:15:52.220

Modified: 2026-04-23T15:27:08.873

Link: CVE-2025-30827

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:45:38Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')