Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in confuzzledduck Syndicate Out syndicate-out allows Reflected XSS.This issue affects Syndicate Out: from n/a through <= 0.9.
Published: 2025-05-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation that allows reflected cross‑site scripting. An attacker can supply crafted data that the Syndicate Out plugin reflects directly into a generated page, enabling execution of arbitrary JavaScript in the browser of any user who views the affected page.

Affected Systems

WordPress plugin Syndicate Out, created by confuzzledduck, is affected for all releases up to and including version 0.9.

Risk and Exploitability

The CVSS score is 7.1, indicating a high severity, while the EPSS score is less than 1% and the vulnerability is not listed in CISA’s KEV catalog, suggesting a lower probability of exploitation. The likely attack vector is via web input that the plugin reflects without proper sanitization, which requires an attacker to craft a malicious URL or payload that a victim’s browser will process.

Generated by OpenCVE AI on April 30, 2026 at 19:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Syndicate Out to a version greater than 0.9, which removes the vulnerable code.
  • If an upgrade is not possible, uninstall the plugin to eliminate the attack surface.
  • Apply a web application firewall or content security policy to block reflected XSS payloads until the plugin is updated.

Generated by OpenCVE AI on April 30, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15801 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in confuzzledduck Syndicate Out allows Reflected XSS.This issue affects Syndicate Out: from n/a through 0.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in confuzzledduck Syndicate Out allows Reflected XSS.This issue affects Syndicate Out: from n/a through 0.9. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in confuzzledduck Syndicate Out syndicate-out allows Reflected XSS.This issue affects Syndicate Out: from n/a through <= 0.9.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 May 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in confuzzledduck Syndicate Out allows Reflected XSS.This issue affects Syndicate Out: from n/a through 0.9.
Title WordPress Syndicate Out <= 0.9 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:36.196Z

Reserved: 2025-04-17T17:03:58.445Z

Link: CVE-2025-43836

cve-icon Vulnrichment

Updated: 2025-05-19T18:33:48.261Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T19:15:50.697

Modified: 2026-04-23T15:29:53.290

Link: CVE-2025-43836

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:45:26Z

Weaknesses