Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NasaTheme Nasa Core nasa-core allows Reflected XSS.This issue affects Nasa Core: from n/a through <= 6.4.4.
Published: 2025-06-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper neutralization of input during web page generation (CWE‑79) allows attackers to inject and execute arbitrary client‑side scripts. When a victim loads a URL or interacts with a page that reflects unsanitized user input, the attacker’s script can run in the victim’s browser, enabling information theft, session hijacking, content defacement, or the delivery of further malware. The vulnerability is limited to reflected XSS and does not provide remote code execution or server‑side compromise.

Affected Systems

The flaw exists in the WordPress plugin NasaTheme Nasa Core, specifically in all releases from the first available version through 6.4.4. Any WordPress site that has installed this plugin version is susceptible to the vulnerability.

Risk and Exploitability

With a CVSS score of 7.1 the issue is classified as high severity. The EPSS score of less than 1 % suggests an extremely low probability that the flaw will be actively exploited at this time, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is likely via a crafted link or input without user authentication, targeting visitors who load the affected page. Attackers would need to send or embed the malicious payload into a URL or form field that the plugin subsequently renders without proper sanitization.

Generated by OpenCVE AI on April 30, 2026 at 17:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nasa Core to the newest available version that contains the fix for the XSS vulnerability.
  • If an upgrade is not immediately possible, disable or remove any features that expose the vulnerable input mechanism, or apply strict input filtering to all user‑supplied data processed by the plugin.
  • Configure the website to use a web application firewall that blocks or sanitizes common XSS payloads, ensuring that any reflected scripts are neutralized before reaching users.

Generated by OpenCVE AI on April 30, 2026 at 17:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18542 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NasaTheme Nasa Core allows Reflected XSS. This issue affects Nasa Core: from n/a through 6.3.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 03 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NasaTheme Nasa Core allows Reflected XSS. This issue affects Nasa Core: from n/a through 6.3.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NasaTheme Nasa Core nasa-core allows Reflected XSS.This issue affects Nasa Core: from n/a through <= 6.4.4.
Title WordPress Nasa Core Plugin <= 6.3.2 - Cross Site Scripting (XSS) vulnerability WordPress Nasa Core Plugin <= 6.4.4 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 17 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NasaTheme Nasa Core allows Reflected XSS. This issue affects Nasa Core: from n/a through 6.3.2.
Title WordPress Nasa Core Plugin <= 6.3.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:23:23.993Z

Reserved: 2025-04-16T06:24:25.376Z

Link: CVE-2025-39508

cve-icon Vulnrichment

Updated: 2025-06-17T18:29:26.341Z

cve-icon NVD

Status : Deferred

Published: 2025-06-17T15:15:42.873

Modified: 2026-04-23T15:29:41.763

Link: CVE-2025-39508

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T17:45:26Z

Weaknesses