Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpcraft WooMS wooms allows Reflected XSS.This issue affects WooMS: from n/a through <= 9.12.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WooMS plugin for WordPress contains an improper neutralization of input during web page generation, allowing attackers to embed script or HTML content that is reflected in the browser. This flaw works on all releases of the plugin up to and including version 9.12. While the description does not list specific downstream effects, it is well known that reflected XSS can be used to execute malicious code in the victim’s browser, potentially leading to session hijacking, defacement or phishing. The weakness is classified as CWE‑79.

Affected Systems

Any WordPress site that has the WooMS plugin installed in a version 9.12 or earlier is affected. The issue applies to all earlier releases of the plugin back to its first public release.

Risk and Exploitability

The vulnerability receives a CVSS score of 7.1, indicating high severity. The EPSS score is below 1 %, suggesting a very low probability of exploitation in the wild at the current time. The vulnerability is not listed in the CISA KEV catalog. Attackers are likely to exploit the flaw remotely by crafting URLs or form submissions that the plugin renders without proper sanitization. Exploitation does not require local or privileged access and can be performed against any publicly reachable WooMS endpoint that reflects user input.

Generated by OpenCVE AI on May 2, 2026 at 02:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WooMS plugin to the newest official release that is newer than 9.12 from the WordPress plugin repository.
  • If no newer version is available, disable or remove the WooMS plugin entirely to eliminate exposure.
  • Apply a temporary content filter or use a reputable security plugin to sanitize user input until a patch is applied.

Generated by OpenCVE AI on May 2, 2026 at 02:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11698 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aiiddqd WooMS allows Reflected XSS. This issue affects WooMS: from n/a through 9.12.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aiiddqd WooMS allows Reflected XSS. This issue affects WooMS: from n/a through 9.12. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpcraft WooMS wooms allows Reflected XSS.This issue affects WooMS: from n/a through <= 9.12.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aiiddqd WooMS allows Reflected XSS. This issue affects WooMS: from n/a through 9.12.
Title WordPress WooMS Plugin <= 9.12 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:25.110Z

Reserved: 2025-04-09T11:20:27.475Z

Link: CVE-2025-32602

cve-icon Vulnrichment

Updated: 2025-04-17T18:07:16.867Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:45.873

Modified: 2026-04-23T15:29:11.470

Link: CVE-2025-32602

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:15:31Z

Weaknesses