Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sftranna EC Authorize.net ec-authorizenet allows Reflected XSS.This issue affects EC Authorize.net: from n/a through <= 0.3.3.
Published: 2025-05-23
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The EC Authorize.net plugin for WordPress contains an improper neutralization of input during page generation, allowing attackers to inject malicious scripts into responses. When an affected victim visits a crafted URL or otherwise triggers the vulnerable input handling, the script runs in the visitor’s browser under the site’s origin, enabling session hijacking, cookie theft, defacement, or the execution of arbitrary client‑side code.

Affected Systems

The vulnerability is present in the WordPress EC Authorize.net plugin published by SFTRANNA, affecting all releases through version 0.3.3. Any site running that plugin version is at risk regardless of underlying WordPress or server configuration.

Risk and Exploitability

The CVSS score of 7.1 indicates a high‑severity vulnerability, while the EPSS score of less than 1% suggests that exploitation is currently unlikely but still possible. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit it by tricking users into visiting a malicious link or interacting with a manipulated form; the attack vector is web‑based and requires no special privileges.

Generated by OpenCVE AI on April 30, 2026 at 19:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the EC Authorize.net plugin to the latest available version, which includes the XSS fix.
  • If an upgrade is not feasible at the moment, disable or delete the plugin until the fix is deployed.
  • Implement a site‑wide Content Security Policy that limits script sources and blocks inline scripts to reduce the impact of any residual XSS.

Generated by OpenCVE AI on April 30, 2026 at 19:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28053 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sftranna EC Authorize.net allows Reflected XSS. This issue affects EC Authorize.net: from n/a through 0.3.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sftranna EC Authorize.net allows Reflected XSS. This issue affects EC Authorize.net: from n/a through 0.3.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sftranna EC Authorize.net ec-authorizenet allows Reflected XSS.This issue affects EC Authorize.net: from n/a through <= 0.3.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 23 May 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sftranna EC Authorize.net allows Reflected XSS. This issue affects EC Authorize.net: from n/a through 0.3.3.
Title WordPress EC Authorize.net plugin <= 0.3.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:39.241Z

Reserved: 2025-04-24T14:22:54.404Z

Link: CVE-2025-46487

cve-icon Vulnrichment

Updated: 2025-05-23T14:51:08.590Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:35.973

Modified: 2026-04-23T15:30:05.750

Link: CVE-2025-46487

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:15:16Z

Weaknesses