Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup xPromoter top_bar_promoter allows Reflected XSS.This issue affects xPromoter: from n/a through <= 1.3.4.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The xPromoter plugin for WordPress fails to properly neutralize user input when generating web page content, allowing attackers to inject malicious scripts that execute in a victim’s browser through a crafted URL. This reflected cross‑site scripting flaw can lead to session hijacking, credential theft, and manipulation of the page DOM, thereby compromising user data and compromising the appearance and functionality of the site. The vulnerability is a direct consequence of improper input validation in the plugin’s handling of query parameters.

Affected Systems

The vulnerability affects the LambertGroup xPromoter top_bar_promoter WordPress plugin, versions 1.3.4 and earlier. Any WordPress installation that has this plugin enabled before the release of a fixed version is exposed. The issue resides in the plugin’s front‑end code that echoes user input without proper escaping.

Risk and Exploitability

The CVSS base score of 7.1 indicates a medium‑to‑high severity. An EPSS score of less than 1% points to a currently low exploitation probability, and the flaw is not listed in CISA’s KEV catalog. Nevertheless, as a reflected XSS, it can be triggered remotely via a crafted link that a user might click, resulting in theft of session cookies or other sensitive data. The attack vector is straightforward: send a malicious URL to a victim, and if the victim visits it, the injected script runs in their browser.

Generated by OpenCVE AI on April 30, 2026 at 04:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the xPromoter plugin to version 1.3.5 or later to remove the XSS flaw.
  • If an upgrade is not immediately possible, disable or uninstall the plugin from any WordPress sites that are publicly accessible.
  • Implement a Content Security Policy that restricts script sources to trusted origins to mitigate any remaining XSS vectors.

Generated by OpenCVE AI on April 30, 2026 at 04:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 26 Jan 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup xPromoter top_bar_promoter allows Reflected XSS.This issue affects xPromoter: from n/a through <= 1.3.4.
Title WordPress xPromoter plugin <= 1.3.4 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:57.887Z

Reserved: 2025-05-30T14:04:26.751Z

Link: CVE-2025-49046

cve-icon Vulnrichment

Updated: 2026-01-26T22:00:42.650Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:15:55.527

Modified: 2026-06-17T09:30:42.540

Link: CVE-2025-49046

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T04:30:27Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')