Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in redpixelstudios RPS Include Content rps-include-content allows DOM-Based XSS.This issue affects RPS Include Content: from n/a through <= 1.2.1.
Published: 2025-03-28
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper Neutralization of Input During Web Page Generation (CWE‑79) allows DOM‑Based XSS in the RPS Include Content WordPress plugin. The attacker can inject client‑side scripts that run in a victim’s browser when the plugin renders content. Based on the description, it is inferred that the attacker could potentially leverage these scripts for actions such as cookie theft, defacement or session hijacking. The vulnerability resides in the plugin’s processing of user‑controlled data without proper escaping.

Affected Systems

The affected product is the WordPress plugin RPS Include Content from the vendor redpixelstudios, with all versions up to and including 1.2.1 susceptible to the XSS flaw.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% suggests the likelihood of exploitation at the time of analysis is low. The vulnerability is not listed in the CISA KEV catalog, implying no confirmed large‑scale exploitation. Based on the description, it is inferred that likely attack vectors involve an attacker crafting a link or content that triggers the vulnerable code in the browser of a user who interacts with the plugin’s output.

Generated by OpenCVE AI on May 1, 2026 at 12:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the RPS Include Content plugin to a version newer than 1.2.1 to eliminate the DOM‑Based XSS flaw.
  • If the plugin cannot be updated, remove or disable it from the WordPress installation to prevent the vulnerability from being reachable.
  • Implement a Content Security Policy on the site to restrict inline scripts and mitigate any residual XSS risk from unpatched components.

Generated by OpenCVE AI on May 1, 2026 at 12:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8571 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in redpixelstudios RPS Include Content allows DOM-Based XSS. This issue affects RPS Include Content: from n/a through 1.2.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in redpixelstudios RPS Include Content allows DOM-Based XSS. This issue affects RPS Include Content: from n/a through 1.2.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in redpixelstudios RPS Include Content rps-include-content allows DOM-Based XSS.This issue affects RPS Include Content: from n/a through <= 1.2.1.
Title WordPress RPS Include Content <= 1.2.1 - Cross Site Scripting (XSS) Vulnerability WordPress RPS Include Content plugin <= 1.2.1 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 28 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 28 Mar 2025 09:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in redpixelstudios RPS Include Content allows DOM-Based XSS. This issue affects RPS Include Content: from n/a through 1.2.1.
Title WordPress RPS Include Content <= 1.2.1 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:05.092Z

Reserved: 2025-03-26T09:26:19.814Z

Link: CVE-2025-31093

cve-icon Vulnrichment

Updated: 2025-03-28T14:20:05.132Z

cve-icon NVD

Status : Deferred

Published: 2025-03-28T10:15:17.640

Modified: 2026-04-23T15:27:41.613

Link: CVE-2025-31093

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T12:45:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')