Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ko Min WP Voting wp-voting allows Reflected XSS.This issue affects WP Voting: from n/a through <= 1.8.
Published: 2025-08-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Voting plugin for WordPress is vulnerable to a reflected cross‑site scripting flaw caused by improper neutralization of user input. When an attacker crafts a URL or input that is reflected by the plugin, the victim’s browser will execute the supplied script. This can lead to theft of session cookies, defacement, or execution of arbitrary JavaScript.

Affected Systems

The vulnerability exists in the Ko Min WP Voting plugin, versions up to and including 1.8. Any WordPress site that has installed WP Voting 1.8 or older is affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. The EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog, suggesting that active exploitation is currently rare. The likely attack vector is a reflected XSS attack via a malicious link or form submission that the victim follows or clicks. Successful exploitation requires the plugin to be active and the victim to visit a crafted page that triggers the reflected input. The impact is limited to the victim’s browser and could include data theft or manipulation of web content.

Generated by OpenCVE AI on April 30, 2026 at 09:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Voting to the latest supported release that removes the XSS flaw. "
  • Disable or uninstall the WP Voting plugin if the voting feature is not required. "
  • Configure an application firewall or content security policy to block or neutralize suspicious query strings and reduce the risk of reflected XSS until a patch is applied.

Generated by OpenCVE AI on April 30, 2026 at 09:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24764 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ko Min WP Voting allows Reflected XSS. This issue affects WP Voting: from n/a through 1.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ko Min WP Voting allows Reflected XSS. This issue affects WP Voting: from n/a through 1.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ko Min WP Voting wp-voting allows Reflected XSS.This issue affects WP Voting: from n/a through <= 1.8.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 14 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ko Min WP Voting allows Reflected XSS. This issue affects WP Voting: from n/a through 1.8.
Title WordPress WP Voting Plugin <= 1.8 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:58.233Z

Reserved: 2025-05-30T14:04:34.998Z

Link: CVE-2025-49057

cve-icon Vulnrichment

Updated: 2025-08-14T18:44:11.453Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:38.073

Modified: 2026-04-23T15:31:15.227

Link: CVE-2025-49057

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T09:15:28Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')