Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michel - xiligroup dev xili-dictionary xili-dictionary allows Reflected XSS.This issue affects xili-dictionary: from n/a through <= 2.12.5.
Published: 2025-04-01
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation in the xili‑dictionary plugin allows a reflected cross‑site scripting vulnerability. The flaw permits an attacker to inject and execute arbitrary client‑side script in the victim’s browser when a crafted URL or form is loaded. This breach of the page’s output encoding enables malicious JavaScript code to run with the context of the site.

Affected Systems

The vulnerability affects WordPress sites using the Michel - xiligroup dev xili‑dictionary plugin version 2.12.5 or any earlier release. Any WordPress installation that has this plugin installed remains vulnerable until the component is updated beyond the specified version.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium‑to‑high severity, while the EPSS score of less than 1 % points to a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that a typical attack scenario would involve an attacker crafting a link or form that, when a user accesses it, triggers the reflected XSS payload. Because the injected script runs in the victim’s browser, the attacker could interact with the page’s DOM and potentially capture or manipulate data visible to that user.

Generated by OpenCVE AI on May 2, 2026 at 02:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the xili‑dictionary plugin to a version newer than 2.12.5 (e.g., 2.12.6 or later).
  • If an upgrade is not immediately possible, disable the xili‑dictionary plugin until an update is applied.
  • Implement a Content Security Policy that restricts inline scripts to reduce the impact of any remaining XSS vectors.

Generated by OpenCVE AI on May 2, 2026 at 02:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9095 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michel - xiligroup dev xili-dictionary allows Reflected XSS. This issue affects xili-dictionary: from n/a through 2.12.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michel - xiligroup dev xili-dictionary allows Reflected XSS. This issue affects xili-dictionary: from n/a through 2.12.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michel - xiligroup dev xili-dictionary xili-dictionary allows Reflected XSS.This issue affects xili-dictionary: from n/a through <= 2.12.5.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 01 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 05:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michel - xiligroup dev xili-dictionary allows Reflected XSS. This issue affects xili-dictionary: from n/a through 2.12.5.
Title WordPress xili-dictionary plugin <= 2.12.5 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:58.496Z

Reserved: 2025-03-26T09:20:47.109Z

Link: CVE-2025-30840

cve-icon Vulnrichment

Updated: 2025-04-01T16:01:23.936Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T06:15:52.733

Modified: 2026-04-23T15:27:10.403

Link: CVE-2025-30840

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T03:00:13Z

Weaknesses