Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rhys Wynne WP Flipclock wp-flipclock allows DOM-Based XSS.This issue affects WP Flipclock: from n/a through <= 1.9.1.
Published: 2025-04-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Flipclock plugin up to version 1.9.1 contains an improper neutralization of input during web page generation, allowing attackers to inject malicious scripts into the page (DOM‑based XSS). This flaw permits an attacker to execute arbitrary client‑side code in the context of a visitor’s browser, potentially leading to session hijacking, defacement, or phishing. The weakness falls under CWE‑79 and could compromise all visitors rendering plugin output.

Affected Systems

The vulnerability affects the Rhys Wynne WordPress WP Flipclock plugin for any WordPress installation that has the plugin installed in versions up to and including 1.9.1. No specific WordPress core or PHP version is required, and the issue manifests wherever the plugin outputs user‑controllable data to the page.

Risk and Exploitability

With a CVSS score of 6.5 the risk is moderate, while the EPSS score of less than 1 % indicates a low exploitation probability. The flaw is client‑side and does not require authentication, so any visitor can trigger the XSS by loading a page that incorporates the plugin. The vulnerability is not listed in CISA’s KEV catalog, so widespread exploitation is currently unlikely but remains a valid threat for exposed sites.

Generated by OpenCVE AI on April 30, 2026 at 22:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Flipclock plugin to the latest version that removes the XSS flaw (any release newer than 1.9.1).
  • If an upgrade is not immediately available, deactivate or uninstall the plugin to eliminate the risk until a patch is released.
  • Review any plugin configuration or custom content that may render user‑supplied data, ensuring proper input sanitization or using WordPress nonces to restrict unauthorized modifications.

Generated by OpenCVE AI on April 30, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11323 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rhys Wynne WP Flipclock allows DOM-Based XSS. This issue affects WP Flipclock: from n/a through 1.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rhys Wynne WP Flipclock allows DOM-Based XSS. This issue affects WP Flipclock: from n/a through 1.9. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rhys Wynne WP Flipclock wp-flipclock allows DOM-Based XSS.This issue affects WP Flipclock: from n/a through <= 1.9.1.
Title WordPress WP Flipclock plugin <= 1.9 - Cross Site Scripting (XSS) vulnerability WordPress WP Flipclock plugin <= 1.9.1 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 16 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Apr 2025 13:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rhys Wynne WP Flipclock allows DOM-Based XSS. This issue affects WP Flipclock: from n/a through 1.9.
Title WordPress WP Flipclock plugin <= 1.9 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:34.312Z

Reserved: 2025-04-16T06:24:47.077Z

Link: CVE-2025-39540

cve-icon Vulnrichment

Updated: 2025-04-16T13:41:26.983Z

cve-icon NVD

Status : Deferred

Published: 2025-04-16T13:15:46.937

Modified: 2026-04-23T15:29:45.233

Link: CVE-2025-39540

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T22:45:03Z

Weaknesses