Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuanticaLabs CSS3 Compare Pricing Tables for WordPress css3_web_pricing_tables_grids allows Reflected XSS.This issue affects CSS3 Compare Pricing Tables for WordPress: from n/a through <= 11.6.
Published: 2025-07-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a cross‑site scripting flaw (CWE‑79) based on improper neutralization of user input that results in reflected XSS in the CSS3 Compare Pricing Tables for WordPress plugin. A malicious actor could inject JavaScript that is subsequently executed in the browser of any user who views the affected page. The attack can lead to credential theft, session hijacking, defacement, or the delivery of phishing content, impacting confidentiality, integrity, and availability of the site for end users. These specific consequences are inferred from common XSS exploitation scenarios, as the CVE description does not explicitly state them.

Affected Systems

QuanticaLabs supplies the CSS3 Compare Pricing Tables for WordPress plugin. All installed releases from the initial release through version 11.6 are affected. The vulnerability does not appear in versions 11.7 and later.

Risk and Exploitability

This flaw carries a CVSS score of 7.1, indicating a high risk, but an EPSS score of less than 1% suggests that exploitation is unlikely in the wild. The vulnerability is not listed in the CISA KEV catalog. Because the XSS payload is reflected in user-supplied data, an attacker would need to convince a victim to visit a specially crafted URL or interact with a form; thus the likely attack vector is social‑engineering or phishing. No special privileges are required, and the vulnerability can affect any user who can view the affected pages.

Generated by OpenCVE AI on May 1, 2026 at 06:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to the latest release (11.7 or newer) where the XSS issue has been fixed.
  • If an immediate update is not possible, place the site behind a Web Application Firewall that can block reflected XSS payloads or apply manual input sanitization to the plugin’s output.
  • Disable or remove the plugin from sites that are publicly exposed if it is not essential to site functionality.

Generated by OpenCVE AI on May 1, 2026 at 06:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21619 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuanticaLabs CSS3 Compare Pricing Tables for WordPress allows Reflected XSS. This issue affects CSS3 Compare Pricing Tables for WordPress: from n/a through 11.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuanticaLabs CSS3 Compare Pricing Tables for WordPress allows Reflected XSS. This issue affects CSS3 Compare Pricing Tables for WordPress: from n/a through 11.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuanticaLabs CSS3 Compare Pricing Tables for WordPress css3_web_pricing_tables_grids allows Reflected XSS.This issue affects CSS3 Compare Pricing Tables for WordPress: from n/a through <= 11.6.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 16 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00032}

Wed, 16 Jul 2025 11:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuanticaLabs CSS3 Compare Pricing Tables for WordPress allows Reflected XSS. This issue affects CSS3 Compare Pricing Tables for WordPress: from n/a through 11.6.
Title WordPress CSS3 Compare Pricing Tables for WordPress plugin <= 11.6 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:44.862Z

Reserved: 2025-05-07T09:40:00.790Z

Link: CVE-2025-47554

cve-icon Vulnrichment

Updated: 2025-07-16T13:54:24.777Z

cve-icon NVD

Status : Deferred

Published: 2025-07-16T12:15:26.623

Modified: 2026-04-23T15:30:28.607

Link: CVE-2025-47554

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:00:06Z

Weaknesses