Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xavi Ivars XV Random Quotes xv-random-quotes allows Reflected XSS.This issue affects XV Random Quotes: from n/a through <= 2.0.0.
Published: 2025-04-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The XV Random Quotes plugin contains a flaw where data supplied by users is not properly neutralized before being rendered into web pages. This vulnerability permits reflected XSS, allowing an attacker to inject and run malicious scripts in a victim’s browser when the plugin processes a crafted request. The consequence is that code runs in the victim’s browser context, potentially exposing session information or manipulating page content.

Affected Systems

This issue affects installations of Xavi Ivars' XV Random Quotes plugin with a version number no higher than 2.0.0. WordPress sites that have the plugin in any of these releases are potentially vulnerable and should verify the installed version.

Risk and Exploitability

The CVSS base score of 7.1 indicates a moderate to high severity, while the EPSS score of less than 1 % suggests a low current likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. According to the description, the likely attack vector involves an attacker crafting HTTP requests that embed malicious scripts into parameters processed by the plugin; the attacker would need a victim to visit such a URL. The flaw does not require privileged access beyond triggering the page load.

Generated by OpenCVE AI on May 2, 2026 at 08:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the XV Random Quotes plugin to any release newer than version 2.0.0 to remove the XSS flaw.
  • If an update is unavailable, uninstall or deactivate the plugin from the WordPress installation to eliminate the vulnerable code path.
  • Configure a Web Application Firewall or implement server‑side input sanitization that encodes or rejects untrusted script input before it is rendered in the plugin’s output.

Generated by OpenCVE AI on May 2, 2026 at 08:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14724 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound XV Random Quotes allows Reflected XSS. This issue affects XV Random Quotes: from n/a through 1.37.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound XV Random Quotes allows Reflected XSS. This issue affects XV Random Quotes: from n/a through 1.37. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xavi Ivars XV Random Quotes xv-random-quotes allows Reflected XSS.This issue affects XV Random Quotes: from n/a through <= 2.0.0.
Title WordPress XV Random Quotes Plugin <= 1.37 - Cross Site Scripting (XSS) vulnerability WordPress XV Random Quotes plugin <= 2.0.0 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 03 Apr 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound XV Random Quotes allows Reflected XSS. This issue affects XV Random Quotes: from n/a through 1.37.
Title WordPress XV Random Quotes Plugin <= 1.37 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:15.877Z

Reserved: 2025-04-01T13:21:40.753Z

Link: CVE-2025-31903

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2025-04-03T14:15:42.647

Modified: 2026-04-23T15:28:31.230

Link: CVE-2025-31903

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:45:38Z

Weaknesses