Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rahendra Putra K™ RAphicon raphicon allows DOM-Based XSS.This issue affects RAphicon: from n/a through <= 2.1.2.
Published: 2025-04-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The RAphicon WordPress plugin suffers from improper neutralization of user input during web page generation, specifically a DOM‑based XSS flaw. This weakness allows an attacker to inject malicious JavaScript into a page delivered to a visitor, potentially hijacking user sessions, defacing content, or exfiltrating data from the browser context. No elevation of privilege is required, so the primary impact is confidentiality or integrity compromise for users who view affected pages.

Affected Systems

The vulnerability is present in all releases of the RAphicon plugin up to and including version 2.1.2, distributed by Rahendra Putra K™. Sites running any of these versions of the plugin are exposed.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of <1% suggests low current exploitation probability. The flaw is not listed in CISA’s KEV catalog. It is likely that an attacker can exploit this vulnerability by injecting script content into any page that renders untrusted input; the attack vector would most typically be a compromised or malicious user visiting a site with the plugin enabled. In the absence of an official patch, the risk remains until remediation is applied.

Generated by OpenCVE AI on April 30, 2026 at 20:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the RAphicon plugin to the latest available release (v2.1.3 or later).
  • If an immediate update is not feasible, temporarily remove or disable the plugin to prevent the XSS vector from being active.
  • After the patch or removal, review the site’s pages for any injected scripts and clean them before re‑enabling or publishing content.

Generated by OpenCVE AI on April 30, 2026 at 20:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12050 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rahendra Putra K™ RAphicon allows DOM-Based XSS. This issue affects RAphicon: from n/a through 2.1.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rahendra Putra K™ RAphicon allows DOM-Based XSS. This issue affects RAphicon: from n/a through 2.1.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rahendra Putra K™ RAphicon raphicon allows DOM-Based XSS.This issue affects RAphicon: from n/a through <= 2.1.2.
Title WordPress RAphicon <= 2.1.2 - Cross Site Scripting (XSS) Vulnerability WordPress RAphicon plugin <= 2.1.2 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 25 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rahendra Putra K™ RAphicon allows DOM-Based XSS. This issue affects RAphicon: from n/a through 2.1.2.
Title WordPress RAphicon <= 2.1.2 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:38.171Z

Reserved: 2025-04-24T14:22:38.654Z

Link: CVE-2025-46467

cve-icon Vulnrichment

Updated: 2025-04-24T19:53:25.864Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T16:15:37.440

Modified: 2026-04-23T15:30:03.073

Link: CVE-2025-46467

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T21:00:15Z

Weaknesses