Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dimafreund Rentsyst rentsyst allows Reflected XSS.This issue affects Rentsyst: from n/a through <= 2.0.100.
Published: 2025-08-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Rentsyst WordPress plugin contains a reflected XSS flaw caused by improper neutralization of user input when generating web pages. A malicious user can embed script payloads in specially crafted requests, which are echoed back in the browser output. The injected code runs in the victim’s browser context and can be used for session hijacking, credential theft, defacement, or phishing attacks. The weakness is characterized as CWE‑79 and is confined to the user‑interface layer, without compromising server or database integrity.

Affected Systems

Vulnerable versions of the Rentsyst plugin are all releases from the earliest available version through 2.0.100 inclusive. The affected product is developed by dimafreund and installed as a standard WordPress plugin. No other components or plugins are explicitly mentioned as affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity risk, while the EPSS score of less than 1 % reflects a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by directing a victim’s browser to a crafted URL that includes malicious script content; no administrative privileges or authentication are required. Exploitation is therefore possible in the context of open links or phishing campaigns.

Generated by OpenCVE AI on May 1, 2026 at 06:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Rentsyst plugin to the latest version, which removes the reflected XSS flaw.
  • If an immediate update is not possible, disable or delete the plugin from the WordPress installation until a fix can be applied.
  • Implement a web application firewall or similar input‑validation rule to block script tags or suspicious query parameters from reaching the plugin’s output.

Generated by OpenCVE AI on May 1, 2026 at 06:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25377 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dimafreund Rentsyst allows Reflected XSS. This issue affects Rentsyst: from n/a through 2.0.100.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dimafreund Rentsyst allows Reflected XSS. This issue affects Rentsyst: from n/a through 2.0.100. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dimafreund Rentsyst rentsyst allows Reflected XSS.This issue affects Rentsyst: from n/a through <= 2.0.100.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dimafreund Rentsyst allows Reflected XSS. This issue affects Rentsyst: from n/a through 2.0.100.
Title WordPress Rentsyst Plugin <= 2.0.100 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:52.804Z

Reserved: 2025-05-15T18:02:03.510Z

Link: CVE-2025-48152

cve-icon Vulnrichment

Updated: 2025-08-20T17:40:42.661Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:31.013

Modified: 2026-04-23T15:30:53.570

Link: CVE-2025-48152

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:45:11Z

Weaknesses