Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infoway LLC Ebook Downloader ebook-downloader allows Stored XSS.This issue affects Ebook Downloader: from n/a through <= 1.0.
Published: 2025-04-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Infoway LLC’s Ebook Downloader plugin is vulnerable to Stored Cross‑Site Scripting due to improper neutralization of input when generating web pages. The flaw lets an attacker inject malicious script into the plugin’s content storage, which is subsequently rendered on the site. When executed, the script can steal user cookies, hijack sessions, or deface the site, thereby compromising confidentiality, integrity, and possibly availability for site visitors. The weakness is classified as CWE‑79.

Affected Systems

WordPress sites that use Infoway LLC’s Ebook Downloader plugin, version 1.0 or earlier. No additional vendor or product variants are listed as affected.

Risk and Exploitability

The CVSS score of 6.5 reflects a moderate severity, but the EPSS score of less than 1% indicates a very low likelihood of active exploitation at present, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the attack vector is presumably through form submissions or administrative content entry within the plugin, where malicious payloads are stored and later displayed to site visitors. The risk to stakeholders is moderate; however, the exploitation probability remains low.

Generated by OpenCVE AI on May 1, 2026 at 01:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ebook Downloader to the latest available version to remove the stored XSS flaw
  • When an upgrade cannot be performed immediately, ensure all user‑supplied data entered through the plugin is sanitized with WordPress’s sanitize_text_field or wp_kses before rendering or storage
  • Restrict the plugin’s administrative actions to trusted users only and monitor logs for unusual script input

Generated by OpenCVE AI on May 1, 2026 at 01:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9144 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infoway LLC Ebook Downloader allows Stored XSS. This issue affects Ebook Downloader: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infoway LLC Ebook Downloader allows Stored XSS. This issue affects Ebook Downloader: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infoway LLC Ebook Downloader ebook-downloader allows Stored XSS.This issue affects Ebook Downloader: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Thu, 03 Apr 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infoway LLC Ebook Downloader allows Stored XSS. This issue affects Ebook Downloader: from n/a through 1.0.
Title WordPress Ebook Downloader plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:15.264Z

Reserved: 2025-04-01T13:21:29.404Z

Link: CVE-2025-31894

cve-icon Vulnrichment

Updated: 2025-04-01T16:30:01.970Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T15:16:32.550

Modified: 2026-04-23T15:28:30.200

Link: CVE-2025-31894

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:45:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')