Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomSounds allows Reflected XSS.This issue affects ZoomSounds: from n/a through 6.91.
Published: 2025-12-31
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation in the ZoomSounds plugin allows reflected XSS. Input submitted through the plugin is inserted into the page output without sufficient sanitization, enabling an attacker to inject arbitrary JavaScript. Such scripts can be used to steal session cookies, deface content, or redirect users to malicious sites, thus compromising the confidentiality, integrity, and availability of the affected WordPress site for any visitor who views the reflected request.

Affected Systems

ZoomSounds, a plugin available for WordPress, is affected for all releases from the earliest version through 6.91. The vulnerability tracks all earlier releases, so any WordPress site running ZoomSounds 6.91 or any earlier version is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a high level of severity, but the EPSS score of less than 1% points to a low probability of being exploited in the wild at present. The vulnerability is not listed in the CISA KEV catalog. Likely attack vectors involve a crafted request—either a URL parameter or form input—that is reflected by the plugin into a page response. The attack can be performed by an unauthenticated user who can submit or view the reflected content.

Generated by OpenCVE AI on April 30, 2026 at 04:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ZoomSounds plugin to version 6.92 or later to remove the reflected XSS vulnerability.
  • If an update cannot be performed immediately, limit the plugin’s public input fields and configure WordPress to sanitize all user‑supplied data before rendering.
  • Deploy a web application firewall or similar filtering solution to detect and block malicious script payloads targeting the ZoomSounds plugin.

Generated by OpenCVE AI on April 30, 2026 at 04:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomSounds ZoomSounds dzs-zoomsounds allows Reflected XSS.This issue affects ZoomSounds: from n/a through <= 6.91. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomSounds allows Reflected XSS.This issue affects ZoomSounds: from n/a through 6.91.
References

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomSounds allows Reflected XSS.This issue affects ZoomSounds: from n/a through 6.91. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomSounds ZoomSounds dzs-zoomsounds allows Reflected XSS.This issue affects ZoomSounds: from n/a through <= 6.91.
References

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Digitalzoomstudio
Digitalzoomstudio dzs-zoomsounds
Digitalzoomstudio zoomsounds
Wordpress
Wordpress wordpress
Vendors & Products Digitalzoomstudio
Digitalzoomstudio dzs-zoomsounds
Digitalzoomstudio zoomsounds
Wordpress
Wordpress wordpress

Fri, 02 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 31 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomSounds allows Reflected XSS.This issue affects ZoomSounds: from n/a through 6.91.
Title WordPress ZoomSounds plugin <= 6.91 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Digitalzoomstudio Dzs-zoomsounds Zoomsounds
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:44.997Z

Reserved: 2025-05-07T09:40:07.681Z

Link: CVE-2025-47566

cve-icon Vulnrichment

Updated: 2026-01-02T19:19:47.053Z

cve-icon NVD

Status : Deferred

Published: 2025-12-31T20:15:42.650

Modified: 2026-04-28T19:32:25.670

Link: CVE-2025-47566

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T04:30:27Z

Weaknesses