Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hiroprot Terms Before Download terms-before-download allows Stored XSS.This issue affects Terms Before Download: from n/a through <= 1.0.5.
Published: 2025-03-31
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability stems from improper neutralization of user input in the Terms Before Download WordPress plugin, allowing stored cross‑site scripting. A malicious user can insert scripts that will be rendered and executed in the browsers of anyone who views content that includes the injected data, thereby compromising the integrity of the displayed page.

Affected Systems

The issue impacts installations of the Terms Before Download plugin from hiroprot on any WordPress site that has a version from the plugin's earliest release through 1.0.5.

Risk and Exploitability

With a CVSS score of 6.5, the flaw is considered moderate severity. The EPSS score of less than 1% indicates a low probability of widespread exploitation. Because the attack does not require privileged credentials and can be performed via normal web interface interactions, any visitor who views the affected content could potentially be exposed to the injected script. The vulnerability is not listed in the CISA KEV catalog, meaning no known active exploitation is documented at present.

Generated by OpenCVE AI on May 1, 2026 at 12:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Terms Before Download plugin to the latest released version that removes the stored XSS flaw; this is the official vendor fix.
  • If an immediate patch is unavailable, permanently disable or uninstall the plugin to eliminate the attack surface.
  • Implement a Content Security Policy that restricts the execution of inline scripts, which can mitigate the impact of any remaining XSS vectors from the plugin’s output.

Generated by OpenCVE AI on May 1, 2026 at 12:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8789 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hiroprot Terms Before Download allows Stored XSS. This issue affects Terms Before Download: from n/a through 1.0.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hiroprot Terms Before Download allows Stored XSS. This issue affects Terms Before Download: from n/a through 1.0.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hiroprot Terms Before Download terms-before-download allows Stored XSS.This issue affects Terms Before Download: from n/a through <= 1.0.5.
Title WordPress Terms Before Download plugin <= 1.0.4 - Cross Site Scripting (XSS) vulnerability WordPress Terms Before Download plugin <= 1.0.5 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 31 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hiroprot Terms Before Download allows Stored XSS. This issue affects Terms Before Download: from n/a through 1.0.4.
Title WordPress Terms Before Download plugin <= 1.0.4 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:10.280Z

Reserved: 2025-03-31T10:06:23.642Z

Link: CVE-2025-31614

cve-icon Vulnrichment

Updated: 2025-03-31T13:39:21.490Z

cve-icon NVD

Status : Deferred

Published: 2025-03-31T13:15:55.577

Modified: 2026-04-23T15:28:04.720

Link: CVE-2025-31614

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T12:15:17Z

Weaknesses