Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeSolz Ultimate Push Notifications ultimate-push-notifications allows Reflected XSS.This issue affects Ultimate Push Notifications: from n/a through <= 1.2.0.
Published: 2025-04-01
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CodeSolz Ultimate Push Notifications plugin contains a reflected XSS flaw where unsanitized input can be injected into page content. This weakness, classified as CWE‑79, permits an attacker to craft a URL or input that is reflected back to the victim without proper escaping. Successful exploitation could lead to the execution of arbitrary script code within the victim's browser, potentially compromising session data, defacing the site, or installing malware on the client machine.

Affected Systems

WordPress sites that install the Ultimate Push Notifications plugin version 1.2.0 or earlier. The vulnerability was introduced in the earliest released version and remains present up through 1.2.0 inclusive.

Risk and Exploitability

The vulnerability has a CVSS score of 7.1, indicating a high severity for the affected plugin. The EPSS score is less than 1%, suggesting that although the flaw is high impact, it is currently considered unlikely to be widely targeted. The issue is not listed in CISA’s KEV catalog. Attackers would need only a crafted URL or input that is reflected in the page; no privileged access is required, making exploitation relatively straightforward from any user with access to the plugin’s pages.

Generated by OpenCVE AI on May 1, 2026 at 11:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ultimate Push Notifications plugin to a version newer than 1.2.0 that removes the reflected XSS vector.
  • If an upgrade is infeasible, disable the feature that processes user‑supplied data or restrict the input to whitelisted characters.
  • Implement a strict Content Security Policy that disallows inline scripts and scripts from unknown origins, reducing the impact of any remaining reflected payload.

Generated by OpenCVE AI on May 1, 2026 at 11:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9445 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M. Tuhin Ultimate Push Notifications allows Reflected XSS. This issue affects Ultimate Push Notifications: from n/a through 1.1.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M. Tuhin Ultimate Push Notifications allows Reflected XSS. This issue affects Ultimate Push Notifications: from n/a through 1.1.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeSolz Ultimate Push Notifications ultimate-push-notifications allows Reflected XSS.This issue affects Ultimate Push Notifications: from n/a through <= 1.2.0.
Title WordPress Ultimate Push Notifications plugin <= 1.1.8 - Reflected Cross Site Scripting (XSS) vulnerability WordPress Ultimate Push Notifications plugin <= 1.2.0 - Reflected Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 02 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 21:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M. Tuhin Ultimate Push Notifications allows Reflected XSS. This issue affects Ultimate Push Notifications: from n/a through 1.1.8.
Title WordPress Ultimate Push Notifications plugin <= 1.1.8 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:08.729Z

Reserved: 2025-03-31T10:05:28.896Z

Link: CVE-2025-31548

cve-icon Vulnrichment

Updated: 2025-04-02T13:23:22.023Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T21:15:49.313

Modified: 2026-04-23T15:27:56.683

Link: CVE-2025-31548

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:45:16Z

Weaknesses