Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cornfeed WP-jScrollPane wp-jscrollpane allows Reflected XSS.This issue affects WP-jScrollPane: from n/a through <= 2.0.3.
Published: 2025-08-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation leads to a reflected cross‑site scripting (XSS) vulnerability. The flaw allows an attacker to inject code that runs in the user’s browser, potentially enabling session hijacking, defacement or phishing attacks. The weakness stems from missing output encoding and is catalogued as CWE‑79.

Affected Systems

The cornfeed WP‑jScrollPane WordPress plugin, versions up to and including 2.0.3, is affected. The vulnerability applies to all releases from the initial version through 2.0.3.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. The EPSS score of less than 1% implies a low current exploitation probability, and the issue is not listed in CISA’s KEV catalog. Likely attack vectors are reflected via crafted URLs or form inputs that are returned without proper encoding, so any user clicking on a malicious link could be impacted. Exploitation requires no authentication and can be performed against public HTTP endpoints.

Generated by OpenCVE AI on April 30, 2026 at 09:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and install the latest WP‑jScrollPane plugin version (>= 2.0.4) from the vendor’s repository.
  • If an update is not available or cannot be applied, disable the plugin until remediation is performed.
  • Review any user‑input handling in the application to ensure proper sanitization and output encoding, and apply similar fixes to related plugins or theme components.

Generated by OpenCVE AI on April 30, 2026 at 09:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24768 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cornfeed WP-jScrollPane allows Reflected XSS. This issue affects WP-jScrollPane: from n/a through 2.0.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cornfeed WP-jScrollPane allows Reflected XSS. This issue affects WP-jScrollPane: from n/a through 2.0.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cornfeed WP-jScrollPane wp-jscrollpane allows Reflected XSS.This issue affects WP-jScrollPane: from n/a through <= 2.0.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 14 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cornfeed WP-jScrollPane allows Reflected XSS. This issue affects WP-jScrollPane: from n/a through 2.0.3.
Title WordPress WP-jScrollPane plugin <= 2.0.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:58.568Z

Reserved: 2025-05-30T14:04:42.919Z

Link: CVE-2025-49062

cve-icon Vulnrichment

Updated: 2025-08-14T19:50:31.460Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:38.817

Modified: 2026-04-23T15:31:15.680

Link: CVE-2025-49062

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T09:15:28Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')