Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sajjad Aslani AWSA Shipping awsa-shipping allows Reflected XSS.This issue affects AWSA Shipping: from n/a through <= 1.3.0.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The AWSA Shipping plugin for WordPress contains a reflected cross‑site scripting flaw. Input from users is reflected back to the web page without proper sanitization, allowing an attacker to inject malicious JavaScript via crafted URLs. The injected code can execute in the victim’s browser, enabling actions such as session hijacking, data theft, or site defacement. This weakness aligns with CWE‑79, a typical client‑side injection vulnerability.

Affected Systems

Any WordPress installation running Sajjad Aslani’s AWSA Shipping plugin from its earliest released version up through 1.3.0 is vulnerable. Sites using earlier versions of the plugin are also at risk, although the exact earliest affected version is unspecified.

Risk and Exploitability

The CVSS v3.1 score of 7.1 denotes a high‑severity risk. The EPSS score of less than 1% indicates that mass exploitation is unlikely, yet the presence of the flaw means it can be easily leveraged by a determined attacker. The vulnerability is not listed in CISA’s KEV catalog. Exploitation demands the victim to visit a URL containing malicious payloads, and does not require privileged authentication.

Generated by OpenCVE AI on April 30, 2026 at 21:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AWSA Shipping plugin to a version newer than 1.3.0 released by the vendor.
  • If immediate upgrade is not possible, modify the plugin’s input handling to sanitize user data using WordPress’s built‑in functions (e.g., esc_html, esc_url) before rendering it in pages.
  • Implement a content security policy that disallows inline scripts and restricts JavaScript execution to trusted sources to mitigate any residual XSS impact.

Generated by OpenCVE AI on April 30, 2026 at 21:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11699 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sajjad Aslani AWSA Shipping allows Reflected XSS. This issue affects AWSA Shipping: from n/a through 1.3.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sajjad Aslani AWSA Shipping allows Reflected XSS. This issue affects AWSA Shipping: from n/a through 1.3.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sajjad Aslani AWSA Shipping awsa-shipping allows Reflected XSS.This issue affects AWSA Shipping: from n/a through <= 1.3.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sajjad Aslani AWSA Shipping allows Reflected XSS. This issue affects AWSA Shipping: from n/a through 1.3.0.
Title WordPress AWSA Shipping Plugin <= 1.3.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:11:43.874Z

Reserved: 2025-04-09T11:20:27.476Z

Link: CVE-2025-32604

cve-icon Vulnrichment

Updated: 2025-04-17T18:07:20.839Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:46.010

Modified: 2026-04-23T15:29:11.700

Link: CVE-2025-32604

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T22:00:08Z

Weaknesses