Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hive Support Hive Support hive-support allows Reflected XSS.This issue affects Hive Support: from n/a through <= 1.2.5.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a reflected cross‑site scripting flaw in the Hive Support plugin for WordPress. Improper neutralization of user input allows an attacker to embed JavaScript that the plugin echoes back in the page, enabling the execution of arbitrary code in the context of any user who views the crafted URL. The potential impact includes session hijacking, defacement, and drive‑by malware delivery.

Affected Systems

The affected component is the Hive Support plugin for WordPress, specifically versions 1.2.5 and earlier. Any WordPress installation that has this plugin installed and not yet upgraded is susceptible; the plugin itself is identified by the vendor name Hive Support.

Risk and Exploitability

The rule‑based CVSS score is 7.1, reflecting a high‑severity vulnerability, while the EPSS score is below 1%, indicating limited current exploitation probability but not zero. It is not listed in the CISA KEV catalog. An attacker can create a malicious URL containing the unsanitized query parameter, and a victim who follows the link or clicks a social‑engineering link will have the script executed in their browser. The attack vector is therefore a remotely exploitable reflected XSS that requires user interaction.

Generated by OpenCVE AI on April 30, 2026 at 22:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Hive Support plugin to the patched release (>= 1.2.6).
  • Deploy a web‑application firewall rule to block suspicious script injections targeting the plugin’s endpoints.
  • Restrict the use of the plugin to trusted administrators and review its permission scopes to minimize exposure.

Generated by OpenCVE AI on April 30, 2026 at 22:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11731 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hive Support Hive Support allows Reflected XSS. This issue affects Hive Support: from n/a through 1.2.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hive Support Hive Support allows Reflected XSS. This issue affects Hive Support: from n/a through 1.2.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hive Support Hive Support hive-support allows Reflected XSS.This issue affects Hive Support: from n/a through <= 1.2.5.
Title WordPress Hive Support plugin <= 1.2.2- Reflected Cross Site Scripting (XSS) vulnerability WordPress Hive Support plugin <= 1.2.5 - Reflected Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hive Support Hive Support allows Reflected XSS. This issue affects Hive Support: from n/a through 1.2.2.
Title WordPress Hive Support plugin <= 1.2.2- Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:27.492Z

Reserved: 2025-04-09T11:21:18.306Z

Link: CVE-2025-32666

cve-icon Vulnrichment

Updated: 2025-04-17T18:08:49.971Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:50.207

Modified: 2026-04-23T15:29:18.673

Link: CVE-2025-32666

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T22:15:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')