Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arefly Delete Post Revision delete-post-revision allows Reflected XSS.This issue affects Delete Post Revision: from n/a through <= 1.1.
Published: 2025-04-01
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input during page generation in the Arefly Delete Post Revision plugin allows attackers to inject malicious JavaScript that is reflected back to the browser. This reflected XSS flaw (CWE‑79) can execute arbitrary scripts in the victim’s browser context, potentially manipulating page content, capturing session cookies, or performing unauthorized actions on behalf of the victim. The vulnerability exists due to lack of output encoding when handling plugin parameters, enabling direct execution of an attacker‑controlled payload if a vulnerable URL is accessed.

Affected Systems

The affected product is the Delete Post Revision plugin developed by Arefly, with all versions from the first release up to and including 1.1 susceptible. Users running any version <= 1.1 of this WordPress plugin should be aware of the risk.

Risk and Exploitability

The CVSS score of 7.1 classifies this as high severity, while the EPSS score of < 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. Based on the description, the likely attack vector involves an attacker crafting a malicious URL or parameter that is reflected in the plugin’s output; an authenticated or unauthenticated user clicking the link would be required for the exploit to trigger.

Generated by OpenCVE AI on May 1, 2026 at 01:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Delete Post Revision plugin to a version newer than 1.1 if a patch or newer release is available, or uninstall the plugin entirely if no update exists.
  • If upgrading or removing the plugin is not immediately possible, configure a Web Application Firewall or develop a custom filter to escape or block any user‑supplied parameters that are rendered by the plugin.
  • Strengthen overall site security by enforcing strong, unique passwords for all administrative accounts, enable two‑factor authentication where supported, and monitor for suspicious login activity to mitigate the impact of any session hijacking that could result from an XSS exploitation.

Generated by OpenCVE AI on May 1, 2026 at 01:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9451 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Delete Post Revision allows Reflected XSS. This issue affects Delete Post Revision: from n/a through 1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Delete Post Revision allows Reflected XSS. This issue affects Delete Post Revision: from n/a through 1.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arefly Delete Post Revision delete-post-revision allows Reflected XSS.This issue affects Delete Post Revision: from n/a through <= 1.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 02 Apr 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 21:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Delete Post Revision allows Reflected XSS. This issue affects Delete Post Revision: from n/a through 1.1.
Title WordPress Delete Post Revision plugin <= 1.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:07.338Z

Reserved: 2025-03-28T11:00:39.753Z

Link: CVE-2025-31454

cve-icon Vulnrichment

Updated: 2025-04-02T16:12:26.850Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T21:15:48.030

Modified: 2026-04-23T15:27:51.450

Link: CVE-2025-31454

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')