Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michel - xiligroup dev xili-language xili-language allows Reflected XSS.This issue affects xili-language: from n/a through <= 2.21.2.
Published: 2025-04-01
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress users running the xili‑language plugin versions up to 2.21.2 face a reflected cross‑site scripting flaw. The plugin fails to neutralize incoming data that is later rendered in a web page, allowing an attacker to embed JavaScript. This flaw enables the execution of malicious scripts within the victim’s browser, potentially allowing credential theft or session hijacking. The vulnerability is a classic injection weakness (CWE‑79).

Affected Systems

The affected product is the xili‑language WordPress plugin developed by Michel – xiligroup dev. All releases from the first public release through 2.21.2 are vulnerable; based on the description, it is inferred that version 2.22 and later contain the fix.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, but the EPSS score of less than 1 % suggests a low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a crafted HTTP request that passes malicious data to the plugin, typically via a crafted URL. The attack vector is inferred to be a reflected XSS through query parameters, which an attacker can lure victims to via phishing or malicious links. Once a user loads the affected page, the injected script runs with the privileges the user has on the site.

Generated by OpenCVE AI on May 1, 2026 at 11:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the xili‑language plugin to version 2.22 or later, which removes the reflected XSS flaw.
  • If an immediate upgrade is not feasible, temporarily disable or delete the plugin to prevent exposure.
  • Implement a web application firewall or a content security policy to filter XSS payloads and enforce output sanitization for any remaining user‑controlled input.

Generated by OpenCVE AI on May 1, 2026 at 11:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9477 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michel - xiligroup dev xili-language allows Reflected XSS. This issue affects xili-language: from n/a through 2.21.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michel - xiligroup dev xili-language allows Reflected XSS. This issue affects xili-language: from n/a through 2.21.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michel - xiligroup dev xili-language xili-language allows Reflected XSS.This issue affects xili-language: from n/a through <= 2.21.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 02 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 21:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michel - xiligroup dev xili-language allows Reflected XSS. This issue affects xili-language: from n/a through 2.21.2.
Title WordPress xili-language plugin <= 2.21.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:05.103Z

Reserved: 2025-03-26T09:26:11.884Z

Link: CVE-2025-31085

cve-icon Vulnrichment

Updated: 2025-04-02T14:12:17.931Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T21:15:46.873

Modified: 2026-04-23T15:27:40.667

Link: CVE-2025-31085

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:45:16Z

Weaknesses