Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in moshensky CF7 Spreadsheets cf7-spreadsheets allows Reflected XSS.This issue affects CF7 Spreadsheets: from n/a through <= 2.3.2.
Published: 2025-04-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A reflected Cross‑Site Scripting (XSS) flaw exists in the CF7 Spreadsheets WordPress plugin. The vulnerability arises from the plugin’s failure to neutralize user‑supplied input before rendering it in a browser, allowing an attacker to inject arbitrary JavaScript that executes in the context of the victim’s browser, potentially granting access to sensitive data or session information. This weakness is categorized as CWE‑79.

Affected Systems

The issue affects the CF7 Spreadsheets plugin from its earliest releases up through version 2.3.2. It impacts WordPress sites that have installed any of these versions, regardless of operating system or hosting environment. Updates to versions beyond 2.3.2 are not explicitly mentioned but are presumed to contain the fix.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity level, and the EPSS score of less than 1 % suggests that, while the vulnerability exists, the probability of exploitation at this time is low. The flaw is not listed in CISA’s KEV catalog. The attack vector is inferred to be remote, leveraging a crafted request to a form processed by the plugin; an attacker who can embed the malicious payload in a form submission can trigger the reflected XSS in any visitor’s browser that accesses the affected page.

Generated by OpenCVE AI on May 1, 2026 at 01:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update CF7 Spreadsheets to the latest version (≥ 2.3.3 if available) to eliminate the XSS flaw.
  • Ensure that the plugin’s output is properly escaped by inspecting the plugin code for any remaining unfiltered data before rendering.
  • Implement a Content Security Policy that restricts inline script execution and disallows loading scripts from untrusted origins, thereby mitigating the impact of any residual XSS vulnerabilities.

Generated by OpenCVE AI on May 1, 2026 at 01:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14752 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in moshensky CF7 Spreadsheets allows Reflected XSS. This issue affects CF7 Spreadsheets: from n/a through 2.3.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in moshensky CF7 Spreadsheets allows Reflected XSS. This issue affects CF7 Spreadsheets: from n/a through 2.3.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in moshensky CF7 Spreadsheets cf7-spreadsheets allows Reflected XSS.This issue affects CF7 Spreadsheets: from n/a through <= 2.3.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 03 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 03 Apr 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in moshensky CF7 Spreadsheets allows Reflected XSS. This issue affects CF7 Spreadsheets: from n/a through 2.3.2.
Title WordPress CF7 Spreadsheets plugin <= 2.3.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:08.692Z

Reserved: 2025-03-31T10:05:22.813Z

Link: CVE-2025-31536

cve-icon Vulnrichment

Updated: 2025-04-03T14:58:57.898Z

cve-icon NVD

Status : Deferred

Published: 2025-04-03T14:15:36.417

Modified: 2026-04-23T15:27:55.283

Link: CVE-2025-31536

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:15:05Z

Weaknesses