Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ralxz Limit Max IPs Per User limit-max-ips-per-user allows DOM-Based XSS.This issue affects Limit Max IPs Per User: from n/a through <= 1.5.
Published: 2025-04-01
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability presents a DOM‑based reflected cross‑site scripting flaw in the WordPress 'Limit Max IPs Per User' plugin. The plugin fails to neutralize user‑supplied input before rendering it in the browser, enabling attackers to inject malicious scripts that execute within the victim's browser context. Such code execution can lead to session hijacking, credential theft, or site defacement. The flaw aligns with CWE‑79, improper input sanitization.

Affected Systems

The affected software is the 'Limit Max IPs Per User' plugin developed by ralxz. All releases from the initial version through (and including) 1.5 are susceptible. WordPress sites running any of these versions and having the plugin active are at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation. The issue is not listed in CISA's KEV catalog. Exploitability requires that the plugin be enabled and the victim visit a URL or input that triggers the XSS. Attackers can craft malicious links or input that will execute arbitrary JavaScript in the victim's browser.

Generated by OpenCVE AI on May 1, 2026 at 01:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Limit Max IPs Per User plugin to the latest version (>=1.6).
  • If update not possible, deactivate or uninstall the plugin until a fix is available.
  • Implement a strict Content Security Policy and sanitize all user inputs to mitigate XSS risk.

Generated by OpenCVE AI on May 1, 2026 at 01:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9459 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Limit Max IPs Per User allows DOM-Based XSS. This issue affects Limit Max IPs Per User: from n/a through 1.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Limit Max IPs Per User allows DOM-Based XSS. This issue affects Limit Max IPs Per User: from n/a through 1.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ralxz Limit Max IPs Per User limit-max-ips-per-user allows DOM-Based XSS.This issue affects Limit Max IPs Per User: from n/a through <= 1.5.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 02 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 21:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Limit Max IPs Per User allows DOM-Based XSS. This issue affects Limit Max IPs Per User: from n/a through 1.5.
Title WordPress Limit Max IPs Per User plugin <= 1.5 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:07.574Z

Reserved: 2025-03-28T11:00:51.876Z

Link: CVE-2025-31455

cve-icon Vulnrichment

Updated: 2025-04-02T16:10:15.227Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T21:15:48.180

Modified: 2026-04-23T15:27:51.563

Link: CVE-2025-31455

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:30:05Z

Weaknesses