Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Huseyin Berberoglu WP Hide Categories wp-hide-categories allows Reflected XSS.This issue affects WP Hide Categories: from n/a through <= 1.0.
Published: 2025-04-11
Score: 7.1 High
EPSS: 1.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability manifests as an improper neutralization of input during web page generation, allowing reflected cross‑site scripting attacks. An attacker can inject malicious JavaScript into the page output, potentially executing code in the context of an authenticated user, stealing session cookies, or defacing content. The weakness is classified as CWE‑79.

Affected Systems

The affected product is the WordPress WP Hide Categories plugin developed by Huseyin Berberoglu. Versions from n/a through 1.0 are impacted; any site running the plugin at or below version 1.0 is vulnerable.

Risk and Exploitability

The CVSS score is 7.1, indicating a high severity level. The EPSS score is less than 1 %, suggesting a low likelihood of widespread exploitation at present. The issue is not listed in the CISA KEV catalog, though the vulnerability is still actionable. Attackers would need to persuade a user to visit a crafted URL containing malicious payloads; the primary attack vector is through a reflected XSS exposed by the plugin’s handling of user input.

Generated by OpenCVE AI on April 30, 2026 at 23:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP Hide Categories to the latest release (any version above 1.0).
  • If the plugin is not required, disable or remove it from the WordPress installation.
  • Implement input validation or whitelist parameters in custom code to sanitize any plugin‑related input, following best practices for preventing XSS.

Generated by OpenCVE AI on April 30, 2026 at 23:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10792 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP Hide Categories allows Reflected XSS. This issue affects WP Hide Categories: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP Hide Categories allows Reflected XSS. This issue affects WP Hide Categories: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Huseyin Berberoglu WP Hide Categories wp-hide-categories allows Reflected XSS.This issue affects WP Hide Categories: from n/a through <= 1.0.
Title WordPress WP Hide Categories <= 1.0 - Cross Site Scripting (XSS) Vulnerability WordPress WP Hide Categories plugin <= 1.0 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 11 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 11 Apr 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP Hide Categories allows Reflected XSS. This issue affects WP Hide Categories: from n/a through 1.0.
Title WordPress WP Hide Categories <= 1.0 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:03.884Z

Reserved: 2025-03-26T09:23:14.825Z

Link: CVE-2025-31028

cve-icon Vulnrichment

Updated: 2025-04-11T13:50:46.904Z

cve-icon NVD

Status : Deferred

Published: 2025-04-11T09:15:20.237

Modified: 2026-04-23T15:27:34.300

Link: CVE-2025-31028

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T23:30:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')