Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in B2itech B2i Investor Tools b2i-investor-tools allows Reflected XSS.This issue affects B2i Investor Tools: from n/a through <= 1.0.7.9.
Published: 2025-05-23
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The B2i Investor Tools plugin has an input sanitization flaw that allows an attacker to inject arbitrary script code into the web page presented to a victim. This reflected XSS flaw can execute malicious JavaScript in the context of the site, enabling cookie theft, session hijacking, or defacement. The vulnerability is classified under CWE‑79 and is present in all releases up to and including 1.0.7.9.

Affected Systems

The affected component is the WordPress plugin B2i Investor Tools developed by B2itech. Versions from the earliest available release through 1.0.7.9 are impacted. Any WordPress installation running one of those versions of the plugin is at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, but the EPSS score is lower than 1%, showing a very low current exploitation probability. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires a victim to visit a crafted URL or submit a manipulated form field; thus active user interaction is needed. If such interaction is achieved, the attacker can run arbitrary client‑side code in the victim’s browser.

Generated by OpenCVE AI on April 30, 2026 at 19:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the B2i Investor Tools plugin to the latest version, version 1.0.8 or later, if available.
  • If an upgrade is not possible, de‑activate or uninstall the plugin until the vulnerability is fixed.
  • Ensure that any remaining form inputs or URLs provided by the plugin are not exposed to untrusted data, or employ a web application firewall to block suspicious requests.

Generated by OpenCVE AI on April 30, 2026 at 19:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28084 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in B2itech B2i Investor Tools allows Reflected XSS. This issue affects B2i Investor Tools: from n/a through 1.0.7.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in B2itech B2i Investor Tools allows Reflected XSS. This issue affects B2i Investor Tools: from n/a through 1.0.7.9. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in B2itech B2i Investor Tools b2i-investor-tools allows Reflected XSS.This issue affects B2i Investor Tools: from n/a through <= 1.0.7.9.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 23 May 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in B2itech B2i Investor Tools allows Reflected XSS. This issue affects B2i Investor Tools: from n/a through 1.0.7.9.
Title WordPress B2i Investor Tools plugin <= 1.0.7.9 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:41.294Z

Reserved: 2025-05-07T09:38:48.852Z

Link: CVE-2025-47458

cve-icon Vulnrichment

Updated: 2025-05-23T14:51:59.262Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:37.850

Modified: 2026-04-23T15:30:15.300

Link: CVE-2025-47458

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:15:16Z

Weaknesses