Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in noonnoo Gravel allows Reflected XSS.This issue affects Gravel: from n/a through 1.6.
Published: 2025-04-04
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This CVE describes an improper neutralization of input during web page generation that allows an attacker to inject malicious scripts via the WordPress Gravel theme. The vulnerability is a reflected XSS flaw, which means a crafted URL can cause arbitrary script execution in the victim’s browser when a user views the page. An attacker could steal session cookies, perform account takeover, inject unwanted content, or redirect users to phishing sites. The impact is confined to the browser of anyone who accesses the malformed URL, but because the URL can be shared publicly, the attack surface is broad.

Affected Systems

The vulnerability affects the WordPress Gravel theme distributed by the vendor noonnoo, specifically all releases up to version 1.6 inclusive. Any WordPress site that has installed this theme is potentially vulnerable.

Risk and Exploitability

With a CVSS score of 7.1 the flaw is considered high risk. The EPSS score of less than 1% indicates a low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, relying on a crafted HTTP request that causes the theme to echo unsanitized input back to the browser. No authentication or local privileges are required, so any web visitor can trigger the issue.

Generated by OpenCVE AI on May 1, 2026 at 00:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Gravel theme to the latest available version that removes the reflected XSS issue (at least 1.7).
  • If an upgrade cannot be performed immediately, temporarily deactivate or remove the Gravel theme from the site until a patched version is available.
  • Audit the theme’s source files for any remaining echo or print statements that output user‑controlled data without proper escaping, and apply the appropriate sanitization functions.
  • As a temporary protective measure, implement a strict Content‑Security‑Policy header to limit script execution sites and reduce the impact of any remaining XSS.

Generated by OpenCVE AI on May 1, 2026 at 00:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9740 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in noonnoo Gravel allows Reflected XSS.This issue affects Gravel: from n/a through 1.6.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in noonnoo Gravel gravel allows Reflected XSS.This issue affects Gravel: from n/a through <= 1.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in noonnoo Gravel allows Reflected XSS.This issue affects Gravel: from n/a through 1.6.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in noonnoo Gravel allows Reflected XSS.This issue affects Gravel: from n/a through 1.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in noonnoo Gravel gravel allows Reflected XSS.This issue affects Gravel: from n/a through <= 1.6.
References

Fri, 04 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in noonnoo Gravel allows Reflected XSS.This issue affects Gravel: from n/a through 1.6.
Title WordPress Gravel theme <= 1.6 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:07.091Z

Reserved: 2025-03-28T11:00:03.509Z

Link: CVE-2025-31418

cve-icon Vulnrichment

Updated: 2025-04-04T13:58:27.301Z

cve-icon NVD

Status : Deferred

Published: 2025-04-04T14:15:24.053

Modified: 2026-04-28T19:31:02.337

Link: CVE-2025-31418

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:00:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')