Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scottsm WP_Identicon wp-identicon allows Reflected XSS.This issue affects WP_Identicon: from n/a through <= 2.0.
Published: 2025-04-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation that allows malicious scripts to be reflected back to a user’s browser. The reflected cross‑site scripting can cause arbitrary JavaScript to execute in the victim’s session, potentially compromising application integrity and confidentiality. The description indicates no further impacts beyond the injection of malicious code.

Affected Systems

The WP_Identicon plugin for WordPress, developed by scottsm, is affected from its earliest available version through 2.0. Any WordPress site that hosts WP_Identicon 2.0 or earlier is vulnerable, while no other WordPress plugins or core components are listed as affected.

Risk and Exploitability

The CVSS score of 7.1 denotes high severity, but the EPSS score of less than 1% indicates a low current probability of exploitation. The vulnerability is not included in the CISA KEV catalog. Based on the description, the likely attack vector is a crafted HTTP request that triggers the malicious payload to be reflected back in the response, affecting only the victim’s browser session.

Generated by OpenCVE AI on May 2, 2026 at 02:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP_Identicon to any version newer than 2.0 when the vendor releases a fix.
  • Until an official fix is available, configure the site to sanitize or encode any data passed to WP_Identicon before it is rendered in a page.
  • Consider deploying application‑level XSS filtering or using a security plugin that blocks reflected XSS payloads.

Generated by OpenCVE AI on May 2, 2026 at 02:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14757 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP_Identicon allows Reflected XSS. This issue affects WP_Identicon: from n/a through 2.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP_Identicon allows Reflected XSS. This issue affects WP_Identicon: from n/a through 2.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scottsm WP_Identicon wp-identicon allows Reflected XSS.This issue affects WP_Identicon: from n/a through <= 2.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 03 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 03 Apr 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP_Identicon allows Reflected XSS. This issue affects WP_Identicon: from n/a through 2.0.
Title WordPress WP_Identicon plugin <= 2.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:01:43.741Z

Reserved: 2025-03-28T11:01:02.395Z

Link: CVE-2025-31468

cve-icon Vulnrichment

Updated: 2025-04-03T14:59:01.353Z

cve-icon NVD

Status : Deferred

Published: 2025-04-03T14:15:35.863

Modified: 2026-04-23T15:27:53.047

Link: CVE-2025-31468

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:45:32Z

Weaknesses