Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in maximevalette iCal Feeds ical-feeds allows Reflected XSS.This issue affects iCal Feeds: from n/a through <= 1.5.3.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user-supplied input leads to reflected cross‑site scripting in the WordPress iCal Feeds plugin. The flaw allows an attacker to inject arbitrary client‑side script into a page response, enabling session hijacking, credential theft, defacement, or other malicious actions in the context of any user who views the crafted page.

Affected Systems

The vulnerability exists in the maxi valette iCal Feeds WordPress plugin with versions from the initial release up to and including 1.5.3. Users of this plugin should verify the installed version and identify whether it falls within the affected range.

Risk and Exploitability

The CVSS Base score of 7.1 indicates a high impact severity. Although the EPSS score is below 1%, implying a low but non‑zero exploitation probability, the flaw is not listed in the CISA KEV catalog. The attack vector is likely through crafted URLs or form submissions that the plugin does not properly sanitize. Because the vulnerability is reflected, an attacker can reach it by directing users to a malicious link or encouraging them to submit crafted data.

Generated by OpenCVE AI on April 30, 2026 at 21:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the iCal Feeds plugin to a version newer than 1.5.3 if one is available.
  • If an update is not available, temporarily disable the plugin until a patch is released or the site no longer requires its functionality.
  • Implement a web application firewall rule that blocks requests containing common XSS payload patterns or that sanitizes input parameters before they reach the plugin.

Generated by OpenCVE AI on April 30, 2026 at 21:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11665 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in maximevalette iCal Feeds allows Reflected XSS. This issue affects iCal Feeds: from n/a through 1.5.3.
History

Wed, 29 Apr 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in maximevalette iCal Feeds allows Reflected XSS. This issue affects iCal Feeds: from n/a through 1.5.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in maximevalette iCal Feeds ical-feeds allows Reflected XSS.This issue affects iCal Feeds: from n/a through <= 1.5.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in maximevalette iCal Feeds allows Reflected XSS. This issue affects iCal Feeds: from n/a through 1.5.3.
Title WordPress iCal Feeds Plugin <= 1.5.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:23.633Z

Reserved: 2025-04-09T11:19:42.423Z

Link: CVE-2025-32528

cve-icon Vulnrichment

Updated: 2025-04-17T18:05:59.414Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:41.593

Modified: 2026-04-23T15:29:02.970

Link: CVE-2025-32528

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T21:45:26Z

Weaknesses