Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Back Button Widget back-button-widget allows Stored XSS.This issue affects Back Button Widget: from n/a through <= 1.6.8.
Published: 2025-05-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Back Button Widget plugin contains an improper neutralization of user input during page generation, allowing attackers to store malicious script code within a WordPress site. This stored cross‑site scripting can run arbitrary JavaScript in the context of any visitor, enabling cookie theft, defacement, or redirection to phishing pages. The weakness is an instance of CWE‑79.

Affected Systems

The vulnerability affects all releases of the Back Button Widget plugin from its earliest version up to and including 1.6.8. The affected product is the WPFactory Back Button Widget plugin for WordPress sites. Any WordPress installation that has this plugin installed in a version 1.6.8 or older is susceptible; newer plugin versions have the issue fixed.

Risk and Exploitability

The CVSS score of 6.5 reflects moderate severity, while the EPSS score of less than 1% indicates a very low current exploitation probability. The vulnerability is not yet listed in the CISA KEV catalog. The likely attack vector is via the normal web interface, as an attacker can inject malicious script through the plugin configuration fields. Because it is a stored XSS, no additional privileges are required and an unauthenticated visitor can trigger the payload when visiting the affected site.

Generated by OpenCVE AI on April 30, 2026 at 12:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Back Button Widget plugin to the latest available version that fixes the stored XSS flaw.
  • If updates are not immediately possible, uninstall or disable the Back Button Widget plugin to eliminate the stored XSS risk.
  • Review the site for any injected JavaScript and remove it, and verify that no other plugins introduce similar unsanitized input handling.

Generated by OpenCVE AI on April 30, 2026 at 12:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28172 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Back Button Widget allows Stored XSS. This issue affects Back Button Widget: from n/a through 1.6.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Back Button Widget allows Stored XSS. This issue affects Back Button Widget: from n/a through 1.6.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Back Button Widget back-button-widget allows Stored XSS.This issue affects Back Button Widget: from n/a through <= 1.6.8.
Title WordPress Back Button Widget <= 1.6.8 - Cross Site Scripting (XSS) Vulnerability WordPress Back Button Widget plugin <= 1.6.8 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 30 May 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Wpfactory
Wpfactory back Button Widget
CPEs cpe:2.3:a:wpfactory:back_button_widget:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpfactory
Wpfactory back Button Widget

Mon, 19 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 May 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Back Button Widget allows Stored XSS. This issue affects Back Button Widget: from n/a through 1.6.8.
Title WordPress Back Button Widget <= 1.6.8 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wpfactory Back Button Widget
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:54.240Z

Reserved: 2025-05-19T14:13:09.841Z

Link: CVE-2025-48252

cve-icon Vulnrichment

Updated: 2025-05-19T15:09:44.043Z

cve-icon NVD

Status : Modified

Published: 2025-05-19T15:15:28.030

Modified: 2026-04-23T15:30:58.200

Link: CVE-2025-48252

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T12:45:22Z

Weaknesses