Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scott Salisbury Request Call Back request-call-back allows Stored XSS.This issue affects Request Call Back: from n/a through <= 1.4.1.
Published: 2025-04-09
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can register malicious JavaScript within the Request Call Back plugin’s storage, which is later rendered unsanitized in the web page. This stored cross‑site scripting attack enables the injected script to execute in the browsers of any user who views the affected content, potentially allowing session hijacking, defacement, or delivery of additional payloads. The flaw is classified as CWE‑79 and carries a CVSS score of 5.9, indicating moderate severity.

Affected Systems

The vulnerable component is the Request Call Back WordPress plugin developed by Scott Salisbury, all releases from the beginning of its availability through version 1.4.1. No other vendors are noted in the CNA data.

Risk and Exploitability

Because the EPSS is below 1 % and the issue is not listed in CISA KEV, widespread exploitation is unlikely. Nevertheless the vulnerability can be triggered via the plugin’s input controls or administrative interface, allowing an attacker who can submit data to store a payload that later executes for any visitor who loads the page. The impact is confined to users who view the stored content rather than to the overall system.

Generated by OpenCVE AI on May 1, 2026 at 10:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Request Call Back plugin to the latest available release, which should incorporate input sanitization for output rendering.
  • If an immediate update is not possible, disable all input fields that accept untrusted content or enforce custom sanitization rules to strip unsafe script tags before storage and rendering.
  • As a temporary measure, deactivate or delete the plugin until a patch is applied or a secure configuration is in place.

Generated by OpenCVE AI on May 1, 2026 at 10:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10609 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scott Salisbury Request Call Back allows Stored XSS. This issue affects Request Call Back: from n/a through 1.4.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scott Salisbury Request Call Back allows Stored XSS. This issue affects Request Call Back: from n/a through 1.4.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scott Salisbury Request Call Back request-call-back allows Stored XSS.This issue affects Request Call Back: from n/a through <= 1.4.1.
Title WordPress Request Call Back <= 1.4.1 - Cross Site Scripting (XSS) Vulnerability WordPress Request Call Back plugin <= 1.4.1 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 09 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 09 Apr 2025 16:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scott Salisbury Request Call Back allows Stored XSS. This issue affects Request Call Back: from n/a through 1.4.1.
Title WordPress Request Call Back <= 1.4.1 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:22.188Z

Reserved: 2025-04-09T11:18:53.987Z

Link: CVE-2025-32483

cve-icon Vulnrichment

Updated: 2025-04-09T18:19:41.881Z

cve-icon NVD

Status : Deferred

Published: 2025-04-09T17:15:41.000

Modified: 2026-04-23T15:28:57.883

Link: CVE-2025-32483

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:00:15Z

Weaknesses