Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soflyy WP Dynamic Links wp-dynamic-links allows Reflected XSS.This issue affects WP Dynamic Links: from n/a through <= 1.0.1.
Published: 2025-08-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Dynamic Links plugin, by Soflyy, contains an improper neutralization of input that is reflected back to users' browsers. The flaw permits injection of malicious scripts into the page output, enabling attackers to execute arbitrary JavaScript on the victim's browser. The official CVE description only specifies a reflected XSS vulnerability; no further implications such as session hijacking, data theft, phishing or defacement are explicitly stated. The likely attack vector is delivery of malicious script via reflected parameters as described.

Affected Systems

The vulnerability exists in all releases of the Soflyy WP Dynamic Links plugin up through version 1.0.1, which is installed on WordPress sites that include this plugin.

Risk and Exploitability

With a CVSS score of 7.1 the flaw is classified as medium to high severity, yet the EPSS score of less than 1% indicates a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is delivery of a crafted URL or form input that is reflected by the plugin; the attack vector is indirect and depends on victim interaction, with no authentication or privilege escalation needed.

Generated by OpenCVE AI on May 1, 2026 at 06:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Dynamic Links plugin to a version newer than 1.0.1 to eliminate the reflected XSS vulnerability.
  • If an immediate upgrade is not possible, deploy a web‑application firewall or input filtering rule that blocks script tags or unexpected characters in the parameters reflected by the plugin.
  • Disable or restrict the link‑sharing feature until a secure version is available, and verify that all other user‑supplied content is properly sanitized before rendering.

Generated by OpenCVE AI on May 1, 2026 at 06:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24755 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soflyy WP Dynamic Links allows Reflected XSS. This issue affects WP Dynamic Links: from n/a through 1.0.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soflyy WP Dynamic Links allows Reflected XSS. This issue affects WP Dynamic Links: from n/a through 1.0.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soflyy WP Dynamic Links wp-dynamic-links allows Reflected XSS.This issue affects WP Dynamic Links: from n/a through <= 1.0.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Sat, 16 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Soflyy
Soflyy wp Dynamic Links
Wordpress
Wordpress wordpress
Vendors & Products Soflyy
Soflyy wp Dynamic Links
Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soflyy WP Dynamic Links allows Reflected XSS. This issue affects WP Dynamic Links: from n/a through 1.0.1.
Title WordPress WP Dynamic Links plugin <= 1.0.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Soflyy Wp Dynamic Links
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:58.067Z

Reserved: 2025-05-30T14:04:26.750Z

Link: CVE-2025-49038

cve-icon Vulnrichment

Updated: 2025-08-14T19:31:38.606Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:36.337

Modified: 2026-04-23T15:31:12.570

Link: CVE-2025-49038

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:00:06Z

Weaknesses