Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jiangmiao WP Cleaner wpcleaner allows Reflected XSS.This issue affects WP Cleaner: from n/a through <= 1.1.5.
Published: 2025-04-01
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Improper Neutralization of Input during Web Page Generation (Cross‑Site Scripting). An attacker can inject malicious JavaScript that is executed in the victim’s browser when the affected parameter is reflected back into the page. This can lead to theft of session cookies or arbitrary execution of scripts in the user’s context, potentially compromising account data or enabling phishing. The flaw is identified as CWE‑79.

Affected Systems

WordPress plugin WP Cleaner (jiangmiao) – versions up to and including 1.1.5 are affected. All installations of the plugin in this range are susceptible; later versions are not listed as vulnerable.

Risk and Exploitability

The CVSS score of 7.1 classifies the vulnerability as high severity, yet the EPSS score of <1% indicates a very low probability of exploitation at present. Because the attack vector is reflected XSS, an attacker only needs to craft a link containing the malicious payload and get a victim to visit it, which is feasible via social engineering or malicious emails. The vulnerability is not currently listed in the CISA KEV catalog, further suggesting limited active exploitation. System owners should therefore treat the flaw as high risk with moderate likelihood of exploitation, especially if the plugin is exposed to public users.

Generated by OpenCVE AI on May 1, 2026 at 01:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP Cleaner to a version newer than 1.1.5 as soon as an official patch is released.
  • If updating is not immediately possible, remove or disable the plugin to eliminate the attack surface.
  • Implement a Content Security Policy and ensure all user-supplied data is properly escaped before rendering, following best practices for input validation.

Generated by OpenCVE AI on May 1, 2026 at 01:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9454 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jiangmiao WP Cleaner allows Reflected XSS. This issue affects WP Cleaner: from n/a through 1.1.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jiangmiao WP Cleaner allows Reflected XSS. This issue affects WP Cleaner: from n/a through 1.1.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jiangmiao WP Cleaner wpcleaner allows Reflected XSS.This issue affects WP Cleaner: from n/a through <= 1.1.5.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 02 Apr 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 21:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jiangmiao WP Cleaner allows Reflected XSS. This issue affects WP Cleaner: from n/a through 1.1.5.
Title WordPress WP Cleaner plugin <= 1.1.5 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:07.238Z

Reserved: 2025-03-28T11:00:39.752Z

Link: CVE-2025-31446

cve-icon Vulnrichment

Updated: 2025-04-02T16:13:48.263Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T21:15:47.890

Modified: 2026-04-23T15:27:50.533

Link: CVE-2025-31446

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:30:05Z

Weaknesses