Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gopiplus Card flip image slideshow card-flip-image-slideshow allows DOM-Based XSS.This issue affects Card flip image slideshow: from n/a through <= 1.5.
Published: 2025-07-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The gopiplus Card flip image slideshow plugin is vulnerable to improper neutralization of input, resulting in DOM‑based XSS. This flaw allows an attacker to inject malicious script into the slideshow rendering process, enabling the execution of arbitrary code in a victim’s browser. The impact includes potential cookie theft, session hijack, defacement, or other client‑side attacks, as described by CWE‑79.

Affected Systems

WordPress users who have installed the Card flip image slideshow plugin version 1.5 or earlier, from initial release through < = 1.5, are affected. The plugin is distributed by the vendor gopiplus.

Risk and Exploitability

The vulnerability has a CVSS score of 6.5, indicating a medium severity rating. The EPSS score of < 1% suggests a low probability of exploitation, and the flaw is not listed in the CISA KEV catalog. Attackers would exploit the flaw by crafting a malicious image or slideshow configuration that includes code executed in the victim’s browser when the slideshow is viewed. Because it is DOM‑based, the attack is performed client‑side via a normal webpage load.

Generated by OpenCVE AI on April 30, 2026 at 16:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Card flip image slideshow plugin to the latest version that contains the XSS fix or uninstall the plugin if it is no longer required.
  • If an upgrade is impossible, restrict the plugin’s configurable fields to administrators only and implement server‑side sanitization for any user‑supplied content before it is output.
  • Deploy a Content Security Policy that blocks inline scripts and restricts script sources to trusted origins to reduce the impact of any remaining XSS vectors.

Generated by OpenCVE AI on April 30, 2026 at 16:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19937 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gopiplus Card flip image slideshow allows DOM-Based XSS. This issue affects Card flip image slideshow: from n/a through 1.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gopiplus Card flip image slideshow allows DOM-Based XSS. This issue affects Card flip image slideshow: from n/a through 1.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gopiplus Card flip image slideshow card-flip-image-slideshow allows DOM-Based XSS.This issue affects Card flip image slideshow: from n/a through <= 1.5.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 08 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Jul 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gopiplus Card flip image slideshow allows DOM-Based XSS. This issue affects Card flip image slideshow: from n/a through 1.5.
Title WordPress Card flip image slideshow plugin <= 1.5 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Gopiplus Wp Image Slideshow
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:02.992Z

Reserved: 2025-03-26T09:22:41.972Z

Link: CVE-2025-30983

cve-icon Vulnrichment

Updated: 2025-07-08T14:00:29.732Z

cve-icon NVD

Status : Deferred

Published: 2025-07-04T09:15:35.120

Modified: 2026-04-23T15:27:27.217

Link: CVE-2025-30983

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T17:00:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')