Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SecuPress SecuPress Free secupress allows DOM-Based XSS.This issue affects SecuPress Free: from n/a through <= 2.2.5.3.
Published: 2025-03-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a DOM‑based cross‑site scripting (XSS) flaw that allows an attacker to inject malicious scripts into web pages generated by the SecuPress Free plugin. The flaw arises from the plugin’s failure to properly neutralize user‑controllable input during page rendering. Because the injected script runs in the context of a victim’s browser, an attacker could potentially execute arbitrary client‑side code when a user visits a page processed by the plugin.

Affected Systems

The SecuPress Free plugin, provided by SecuPress, is affected in all releases from the initial version up through 2.2.5.3. Any site running the plugin at or below this version is at risk.

Risk and Exploitability

The CVSS base score is 6.5, indicating a moderate severity vulnerability. The EPSS score is less than 1%, suggesting that the likelihood of exploitation in the wild is very low, and it is not listed in the CISA KEV catalog. The weakness is a DOM‑based XSS (CWE‑79), which typically requires an attacker to craft a malicious URL or input that the user must load or interact with. The attack can be carried out by inserting a script that will run in the victim’s browser, allowing the attacker to steal session data or deface the site if the user interacts with the malicious content.

Generated by OpenCVE AI on May 2, 2026 at 08:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Audit WordPress installations to identify sites running SecuPress Free plugin version 2.2.5.3 or earlier and plan for replacement or update once a vendor fix is available.
  • Apply general input sanitization to any user‑controlled data processed by the plugin (e.g., using WordPress esc_html() or esc_attr() functions) as a temporary protective measure.
  • Monitor SecuPress advisories for updates; when a patch is released, apply it promptly to eliminate the XSS flaw.

Generated by OpenCVE AI on May 2, 2026 at 08:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8303 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SecuPress SecuPress Free allows DOM-Based XSS. This issue affects SecuPress Free: from n/a through 2.2.5.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SecuPress SecuPress Free allows DOM-Based XSS. This issue affects SecuPress Free: from n/a through 2.2.5.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SecuPress SecuPress Free secupress allows DOM-Based XSS.This issue affects SecuPress Free: from n/a through <= 2.2.5.3.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Thu, 14 Aug 2025 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Secupress
Secupress secupress
CPEs cpe:2.3:a:secupress:secupress:*:*:*:*:free:wordpress:*:*
Vendors & Products Secupress
Secupress secupress

Thu, 27 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SecuPress SecuPress Free allows DOM-Based XSS. This issue affects SecuPress Free: from n/a through 2.2.5.3.
Title WordPress SecuPress Free plugin <= 2.2.5.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Secupress Secupress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:00.546Z

Reserved: 2025-03-26T09:21:38.618Z

Link: CVE-2025-30907

cve-icon Vulnrichment

Updated: 2025-03-27T14:31:06.252Z

cve-icon NVD

Status : Modified

Published: 2025-03-27T11:15:51.620

Modified: 2026-04-23T15:27:18.223

Link: CVE-2025-30907

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T09:00:11Z

Weaknesses