Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CoolHappy Cool Flipbox – Shortcode & Gutenberg Block flip-boxes allows Reflected XSS.This issue affects Cool Flipbox – Shortcode & Gutenberg Block: from n/a through <= 1.8.3.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected Cross‑Site Scripting (XSS) flaw caused by insufficient sanitization of user data when generating web pages. An attacker can embed malicious JavaScript that executes in the victim's browser, enabling possible session hijacking, cookie theft, phishing, or defacement of the WordPress site. This weakness presents a risk of compromising user confidentiality, integrity, and services through script injection.

Affected Systems

The affected product is the WordPress CoolHappy Cool Flipbox – Shortcode & Gutenberg Block plugin, versions from the first release up through 1.8.3. Any WordPress installation using this plugin version range is vulnerable.

Risk and Exploitability

The reported CVSS base score is 7.1, indicating a high level of risk. The EPSS score of less than 1% shows a low probability of exploitation at this time, and the vulnerability is not currently listed in CISA's KEV catalog. Likely exploitation would rely on a user visiting a crafted URL or entering malicious data into a field rendered by the plugin. The attack requires access to the site’s front‑end, making external threat actors capable of triggering the flaw if they can entice users to click or if the site processes untrusted input. Overall risk is moderate, but mitigation is advised.

Generated by OpenCVE AI on April 30, 2026 at 21:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the CoolHappy Cool Flipbox plugin to the latest version (greater than 1.8.3) where the vulnerability has been fixed
  • If an update is not immediately possible, disable any feature that reflects user input in the plugin or remove the plugin entirely until the fix is applied
  • Review other plugins and themes for similar XSS issues and apply updates or configuration changes accordingly

Generated by OpenCVE AI on April 30, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11661 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CoolHappy Cool Flipbox – Shortcode & Gutenberg Block allows Reflected XSS. This issue affects Cool Flipbox – Shortcode & Gutenberg Block: from n/a through 1.8.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CoolHappy Cool Flipbox – Shortcode & Gutenberg Block allows Reflected XSS. This issue affects Cool Flipbox – Shortcode & Gutenberg Block: from n/a through 1.8.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CoolHappy Cool Flipbox – Shortcode & Gutenberg Block flip-boxes allows Reflected XSS.This issue affects Cool Flipbox – Shortcode & Gutenberg Block: from n/a through <= 1.8.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CoolHappy Cool Flipbox – Shortcode & Gutenberg Block allows Reflected XSS. This issue affects Cool Flipbox – Shortcode & Gutenberg Block: from n/a through 1.8.3.
Title WordPress Cool Flipbox plugin <= 1.8.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:23.495Z

Reserved: 2025-04-09T11:19:35.668Z

Link: CVE-2025-32521

cve-icon Vulnrichment

Updated: 2025-04-17T18:05:43.983Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:41.087

Modified: 2026-04-23T15:29:02.160

Link: CVE-2025-32521

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T21:45:26Z

Weaknesses