Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in enituretechnology Small Package Quotes – Worldwide Express Edition small-package-quotes-wwe-edition allows Reflected XSS.This issue affects Small Package Quotes – Worldwide Express Edition: from n/a through <= 5.2.18.
Published: 2025-04-01
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the failure to escape user input before rendering it back in a webpage, enabling attackers to inject malicious scripts that run under the victim's browser context. This flaw is identified as a CWE‑79 type and can result in session hijacking, cookie theft, defacement, or the execution of arbitrary client‑side commands. The impact is limited to the scope of the web application and the privileges of the compromised user, but it can undermine the confidentiality and integrity of the site’s data and user experience.

Affected Systems

The affected product is the Small Package Quotes – Worldwide Express Edition plugin developed by enituretechnology. Versions from the initial release through and including 5.2.18 are vulnerable. All installations that rely on these versions are at risk until the plugin is updated to a fixed release.

Risk and Exploitability

The CVSS base score of 7.1 indicates a medium severity. The EPSS score of less than 1% suggests that exploitation attempts are rare but not impossible. The vulnerability is not listed in KISA's KEV catalog, reducing the likelihood of widespread exploitation. The likely attack vector is a reflected request sent via a crafted URL or form that includes the unescaped input, which an attacker can trigger manually or embed in malicious content.

Generated by OpenCVE AI on May 1, 2026 at 01:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to a version newer than 5.2.18, which removes the input sanitization flaw.
  • Deploy a Web Application Firewall or enforce a strict Content Security Policy to block inline script execution and mitigate any leaked XSS vectors.
  • If the plugin is not essential for operations, disable or uninstall it until a secure release is available.

Generated by OpenCVE AI on May 1, 2026 at 01:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9482 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in enituretechnology Small Package Quotes – Worldwide Express Edition allows Reflected XSS. This issue affects Small Package Quotes – Worldwide Express Edition: from n/a through 5.2.18.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in enituretechnology Small Package Quotes – Worldwide Express Edition allows Reflected XSS. This issue affects Small Package Quotes – Worldwide Express Edition: from n/a through 5.2.18. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in enituretechnology Small Package Quotes – Worldwide Express Edition small-package-quotes-wwe-edition allows Reflected XSS.This issue affects Small Package Quotes – Worldwide Express Edition: from n/a through <= 5.2.18.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 02 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 21:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in enituretechnology Small Package Quotes – Worldwide Express Edition allows Reflected XSS. This issue affects Small Package Quotes – Worldwide Express Edition: from n/a through 5.2.18.
Title WordPress Small Package Quotes – Worldwide Express Edition plugin <= 5.2.18 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:04.854Z

Reserved: 2025-03-26T09:25:58.779Z

Link: CVE-2025-31078

cve-icon Vulnrichment

Updated: 2025-04-02T13:42:46.206Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T21:15:46.297

Modified: 2026-04-23T15:27:39.860

Link: CVE-2025-31078

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:30:05Z

Weaknesses