Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shiva WSAnalytics wsanalytics-google-analytics-and-dashboards allows Reflected XSS.This issue affects WSAnalytics: from n/a through <= 1.1.2.
Published: 2025-10-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an improper neutralization of user input during web page generation, allowing an attacker to inject malicious JavaScript that is reflected back to the browser. If an impacted user clicks a crafted link or visits a page containing the injected payload, the script executes in the victim’s browser context, enabling phishing, credential theft, or session hijacking. The vulnerability does not grant direct server‑side code execution or privilege escalation, but it can be leveraged to compromise the confidentiality and integrity of the end‑user’s session.

Affected Systems

WordPress users running the WSAnalytics plugin from vendor Shiva, version 1.1.2 and earlier are vulnerable. The issue affects all releases up to and including 1.1.2 regardless of other configurations.

Risk and Exploitability

The CVSS score is 7.1, indicating a high‑severity client‑side flaw. The EPSS score is less than 1%, suggesting a low probability of widespread exploitation at present. The vulnerability is not listed in CISA KEV. Exploitation requires an attacker to supply a malicious URL or form input that is rendered without proper escaping; it typically depends on user interaction (e.g., clicking a link).

Generated by OpenCVE AI on April 29, 2026 at 16:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WSAnalytics to the latest available version (1.1.3 or later if released).
  • If an upgrade is not possible, disable or uninstall the WSAnalytics plugin to remove the vulnerable code path.
  • Maintain up‑to‑date WordPress core and all plugins, and consider deploying a Web Application Firewall to block malicious input patterns.

Generated by OpenCVE AI on April 29, 2026 at 16:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Fri, 24 Oct 2025 09:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shiva WSAnalytics wsanalytics-google-analytics-and-dashboards allows Reflected XSS.This issue affects WSAnalytics: from n/a through <= 1.1.2.
Title WordPress WSAnalytics plugin <= 1.1.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:18:16.145Z

Reserved: 2025-05-15T17:54:35.011Z

Link: CVE-2025-48097

cve-icon Vulnrichment

Updated: 2025-10-22T19:58:54.431Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:34.467

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-48097

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T17:00:13Z

Weaknesses