Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pepro Dev. Group PeproDev CF7 Database pepro-cf7-database allows Stored XSS.This issue affects PeproDev CF7 Database: from n/a through <= 2.0.0.
Published: 2025-04-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The PeproDev CF7 Database plugin, used within WordPress sites, contains a stored Cross‑Site Scripting flaw that allows an attacker to insert malicious script into data that is subsequently displayed on the site. This weakness, categorized as CWE-79, could let an attacker execute arbitrary code in the browsers of any visitor who views the affected content, potentially leading to defacement, phishing, or theft of session cookies.

Affected Systems

The flaw impacts the PeproDev CF7 Database plugin from (unknown earliest version) through version 2.0.0. Site operators running any of these versions are affected; the vendor is Pepro Dev under the PeproDev CF7 Database group.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, while the EPSS of less than 1% suggests a low current exploitation probability. The vulnerability is not yet listed in CISA KEV. An attacker would need to supply malicious input via the plugin’s data entry feature; the stored payload would be rendered unescaped, enabling script execution in the browsers of any user who accesses the data. Because the flaw involves stored data, the impact can reach anyone who visits the affected pages.

Generated by OpenCVE AI on May 1, 2026 at 01:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PeproDev CF7 Database to a version newer than 2.0.0, which contains the vendor fix for this XSS flaw
  • If an update is not feasible, disable the plugin for untrusted or anonymous users or replace it with an alternative that properly sanitizes input
  • Implement a Content Security Policy that restricts executable scripts on the site, and ensure all output is properly escaped before rendering

Generated by OpenCVE AI on May 1, 2026 at 01:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14748 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pepro Dev. Group PeproDev CF7 Database allows Stored XSS. This issue affects PeproDev CF7 Database: from n/a through 2.0.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pepro Dev. Group PeproDev CF7 Database allows Stored XSS. This issue affects PeproDev CF7 Database: from n/a through 2.0.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pepro Dev. Group PeproDev CF7 Database pepro-cf7-database allows Stored XSS.This issue affects PeproDev CF7 Database: from n/a through <= 2.0.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 03 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 03 Apr 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pepro Dev. Group PeproDev CF7 Database allows Stored XSS. This issue affects PeproDev CF7 Database: from n/a through 2.0.0.
Title WordPress PeproDev CF7 Database plugin <= 2.0.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:09.140Z

Reserved: 2025-03-31T10:05:43.540Z

Link: CVE-2025-31573

cve-icon Vulnrichment

Updated: 2025-04-03T14:58:48.640Z

cve-icon NVD

Status : Deferred

Published: 2025-04-03T14:15:37.313

Modified: 2026-04-23T15:27:59.470

Link: CVE-2025-31573

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:15:05Z

Weaknesses