Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in debounce DeBounce Email Validator debounce-io-email-validator allows Stored XSS.This issue affects DeBounce Email Validator: from n/a through <= 5.7.1.
Published: 2025-04-09
Score: 7.1 High
EPSS: 1.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The DeBounce Email Validator plugin for WordPress allows a stored cross‑site scripting flaw caused by improper neutralization of input during web page generation. When a user submits data through the plugin’s interface, any malicious script can be persisted and later rendered on the site, enabling attackers to execute arbitrary JavaScript in the context of the site’s users or administrators.

Affected Systems

WordPress sites that run the DeBounce Email Validator plugin version 5.7.1 or earlier are vulnerable. Any installation that has not upgraded beyond 5.7.1 faces this risk.

Risk and Exploitability

The vulnerability has a CVSS score of 7.1, indicating moderate severity, and an EPSS score of less than 1%, suggesting a low likelihood of exploitation at present. The issue is not yet listed in CISA’s KEV catalog. Attackers can use the exposed form to inject script, and because the payload is stored, it remains available until an administrator removes or updates the content. The likely attack vector is a CSRF‑based request that pre‑populates the form with malicious code, allowing any user with permissions to submit the form to store the payload. Until a patch is applied, the flaw could be exploited by anyone with access to the form or via such a CSRF attack.

Generated by OpenCVE AI on May 2, 2026 at 02:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the DeBounce Email Validator plugin to the latest version to remove the stored XSS flaw
  • If an upgrade is not immediately possible, deactivate or delete the plugin until a patched version is available to eliminate the attack surface
  • Apply a temporary CSRF token or additional form validation to ensure that only authorized requests can submit data, reducing the risk of injected scripts being stored
  • Sanitize all user‑supplied input on the client or server side to guarantee that executable code cannot be persisted in the database

Generated by OpenCVE AI on May 2, 2026 at 02:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10602 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in debounce DeBounce Email Validator allows Stored XSS. This issue affects DeBounce Email Validator: from n/a through 5.7.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in debounce DeBounce Email Validator allows Stored XSS. This issue affects DeBounce Email Validator: from n/a through 5.7.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in debounce DeBounce Email Validator debounce-io-email-validator allows Stored XSS.This issue affects DeBounce Email Validator: from n/a through <= 5.7.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 09 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 09 Apr 2025 16:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in debounce DeBounce Email Validator allows Stored XSS. This issue affects DeBounce Email Validator: from n/a through 5.7.1.
Title WordPress DeBounce Email Validator plugin <= 5.7.1 - CSRF to Stored XSS vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:24.450Z

Reserved: 2025-04-09T11:20:15.875Z

Link: CVE-2025-32580

cve-icon Vulnrichment

Updated: 2025-04-09T17:41:45.588Z

cve-icon NVD

Status : Deferred

Published: 2025-04-09T17:15:46.860

Modified: 2026-04-23T15:29:08.907

Link: CVE-2025-32580

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:30:25Z

Weaknesses