Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LeadConnector LeadConnector leadconnector allows DOM-Based XSS.This issue affects LeadConnector: from n/a through <= 3.0.2.
Published: 2025-03-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Improper Neutralization of Input During Web Page Generation (CWE‑79) that allows DOM‑Based cross‑site scripting by the WordPress LeadConnector plugin. When untrusted data entered through the plugin is inserted into the page without proper encoding, a malicious script can be executed in the context of any user who visits the affected page. This may compromise the confidentiality of user data, allow the attacker to hijack the user’s session, or deface the site.

Affected Systems

All installations of the LeadConnector WordPress plugin with a version number of 3.0.2 or earlier are affected. The vendor is LeadConnector and the product is the LeadConnector plugin for WordPress. No specific sub‑versions are listed; the issue exists from the initial release through <=3.0.2.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium impact. The EPSS score of less than 1% suggests that exploitation is currently unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalogue. Exploitation is likely to occur via a normal web request to a page rendered by the plugin, and therefore a site’s public web interface is the main attack surface. An attacker needs only to entice a user to view the vulnerable page; no special credentials are required.

Generated by OpenCVE AI on May 1, 2026 at 03:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LeadConnector plugin to version 3.0.3 or newer, which contains the fix for the XSS issue.
  • If no update is immediately available, deactivate or uninstall the LeadConnector plugin to remove the vulnerable code path from the site.
  • Sanitize or encode all output that originates from the plugin, ensuring that user‑supplied data cannot be executed as code.
  • Apply a Content Security Policy (CSP) that disallows inline scripts and restricts allowed sources to trusted domains to mitigate any residual XSS risk.

Generated by OpenCVE AI on May 1, 2026 at 03:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8307 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LeadConnector LeadConnector allows DOM-Based XSS. This issue affects LeadConnector: from n/a through 3.0.2.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in varunvairavanlc LeadConnector leadconnector allows DOM-Based XSS.This issue affects LeadConnector: from n/a through <= 3.0.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LeadConnector LeadConnector leadconnector allows DOM-Based XSS.This issue affects LeadConnector: from n/a through <= 3.0.2.

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LeadConnector LeadConnector leadconnector allows DOM-Based XSS.This issue affects LeadConnector: from n/a through <= 3.0.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in varunvairavanlc LeadConnector leadconnector allows DOM-Based XSS.This issue affects LeadConnector: from n/a through <= 3.0.2.
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LeadConnector LeadConnector allows DOM-Based XSS. This issue affects LeadConnector: from n/a through 3.0.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LeadConnector LeadConnector leadconnector allows DOM-Based XSS.This issue affects LeadConnector: from n/a through <= 3.0.2.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Thu, 27 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LeadConnector LeadConnector allows DOM-Based XSS. This issue affects LeadConnector: from n/a through 3.0.2.
Title WordPress LeadConnector plugin <= 3.0.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:59.807Z

Reserved: 2025-03-26T09:21:31.390Z

Link: CVE-2025-30893

cve-icon Vulnrichment

Updated: 2025-03-27T15:35:57.391Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T11:15:50.190

Modified: 2026-04-28T19:30:29.590

Link: CVE-2025-30893

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T03:45:07Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')