Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in runthings.dev Bulk Page Stub Creator bulk-page-stub-creator allows Reflected XSS.This issue affects Bulk Page Stub Creator: from n/a through <= 1.1.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of user input during web page generation, allowing attackers to embed malicious scripts that are executed by other users' browsers. A successful exploit can lead to theft of session cookies, defacement of content, and the potential for further phishing or credential harvesting attacks. The weakness is a classic reflected XSS flaw, classified as CWE‑79.

Affected Systems

The affected element is the WordPress plugin Bulk Page Stub Creator developed by runthings.dev. All releases from the initial version through version 1.1 are vulnerable and must be replaced or updated.

Risk and Exploitability

The CVSS score of 7.1 places this issue in the High severity range. The EPSS score indicates a very low probability of public exploitation (< 1 %), and it is not currently listed in the CISA KEV catalog. The likely attack vector is a malicious URL that includes injected payloads targeting the plugin’s parameter handling, which can be delivered via social engineering or malformed links.

Generated by OpenCVE AI on May 1, 2026 at 09:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bulk Page Stub Creator to a version newer than 1.1
  • If an upgrade is not possible, remove or disable the plugin entirely
  • Apply a Web Application Firewall rule or input validation filter that blocks common XSS patterns, and consider enforcing a Content Security Policy that restricts inline scripts

Generated by OpenCVE AI on May 1, 2026 at 09:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11736 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rtpHarry Bulk Page Stub Creator allows Reflected XSS. This issue affects Bulk Page Stub Creator: from n/a through 1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rtpHarry Bulk Page Stub Creator allows Reflected XSS. This issue affects Bulk Page Stub Creator: from n/a through 1.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in runthings.dev Bulk Page Stub Creator bulk-page-stub-creator allows Reflected XSS.This issue affects Bulk Page Stub Creator: from n/a through <= 1.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rtpHarry Bulk Page Stub Creator allows Reflected XSS. This issue affects Bulk Page Stub Creator: from n/a through 1.1.
Title WordPress Bulk Page Stub Creator plugin <= 1.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:33.931Z

Reserved: 2025-04-16T06:24:32.683Z

Link: CVE-2025-39519

cve-icon Vulnrichment

Updated: 2025-04-17T18:09:00.753Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:56.230

Modified: 2026-04-23T15:29:43.000

Link: CVE-2025-39519

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T10:00:12Z

Weaknesses