Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gourl GoUrl Bitcoin Payment Gateway & Paid Downloads & Membership gourl-bitcoin-payment-gateway-paid-downloads-membership allows Stored XSS.This issue affects GoUrl Bitcoin Payment Gateway & Paid Downloads & Membership: from n/a through <= 1.6.6.
Published: 2025-09-05
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation allows a stored XSS flaw in the GoUrl Bitcoin Payment Gateway & Paid Downloads & Membership plugin. If an attacker can inject malicious script payloads that are persisted and later rendered on web pages, those scripts will execute in the browsers of any user who views the affected content. The primary consequence is that an attacker could hijack user sessions, steal credentials, deface the site, or perform further attacks on the server or network based on the user’s privileges. The form of attack is typical for CWE‑79, a known reflection or persistence issue that can undermine confidentiality, integrity, and availability of the user experience.

Affected Systems

The GoUrl Bitcoin Payment Gateway & Paid Downloads & Membership plugin for WordPress, v1.6.6 and earlier, is affected. All installations using any version up to and including 1.6.6 should be treated as vulnerable.

Risk and Exploitability

The CVSS base score of 5.9 indicates moderate severity. The EPSS score of <1% shows exploitation is currently rare, and the vulnerability is not listed in CISA KEV. However, stored XSS can be triggered remotely by anyone who can input data into fields managed by the plugin, so an attacker with any account that can submit or edit content could exploit it. The risk is moderate, but the potential impact warrants quick remediation.

Generated by OpenCVE AI on April 30, 2026 at 07:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the GoUrl Bitcoin Payment Gateway & Paid Downloads & Membership plugin to the latest version (1.6.7 or newer) once it is released; the patch removes the unescaped input handling.
  • If an immediate update is not possible, restrict the plugin’s input areas to privileged administrators and disable any public-facing insertion points until a fix is applied.
  • Apply proper output encoding or sanitization at runtime for any remaining inputs that are rendered without escaping, and review the plugin’s input handling for other potential injection points.

Generated by OpenCVE AI on April 30, 2026 at 07:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27032 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gourl GoUrl Bitcoin Payment Gateway &amp; Paid Downloads &amp; Membership allows Stored XSS. This issue affects GoUrl Bitcoin Payment Gateway &amp; Paid Downloads &amp; Membership: from n/a through 1.6.6.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gourl GoUrl Bitcoin Payment Gateway &amp; Paid Downloads &amp; Membership gourl-bitcoin-payment-gateway-paid-downloads-membership allows Stored XSS.This issue affects GoUrl Bitcoin Payment Gateway &amp; Paid Downloads &amp; Membership: from n/a through <= 1.6.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gourl GoUrl Bitcoin Payment Gateway & Paid Downloads & Membership gourl-bitcoin-payment-gateway-paid-downloads-membership allows Stored XSS.This issue affects GoUrl Bitcoin Payment Gateway & Paid Downloads & Membership: from n/a through <= 1.6.6.

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gourl GoUrl Bitcoin Payment Gateway &amp; Paid Downloads &amp; Membership allows Stored XSS. This issue affects GoUrl Bitcoin Payment Gateway &amp; Paid Downloads &amp; Membership: from n/a through 1.6.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gourl GoUrl Bitcoin Payment Gateway &amp; Paid Downloads &amp; Membership gourl-bitcoin-payment-gateway-paid-downloads-membership allows Stored XSS.This issue affects GoUrl Bitcoin Payment Gateway &amp; Paid Downloads &amp; Membership: from n/a through <= 1.6.6.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Fri, 05 Sep 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Sep 2025 16:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gourl GoUrl Bitcoin Payment Gateway &amp; Paid Downloads &amp; Membership allows Stored XSS. This issue affects GoUrl Bitcoin Payment Gateway &amp; Paid Downloads &amp; Membership: from n/a through 1.6.6.
Title WordPress GoUrl Bitcoin Payment Gateway & Paid Downloads & Membership plugin <= 1.6.6 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:51.255Z

Reserved: 2025-05-15T17:54:35.012Z

Link: CVE-2025-48102

cve-icon Vulnrichment

Updated: 2025-09-05T19:52:34.248Z

cve-icon NVD

Status : Deferred

Published: 2025-09-05T17:15:35.687

Modified: 2026-04-28T19:32:35.607

Link: CVE-2025-48102

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T07:15:31Z

Weaknesses