Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in i3geek BaiduXZH Submit(百度熊掌号) i3geek-baiduxzh allows Reflected XSS.This issue affects BaiduXZH Submit(百度熊掌号): from n/a through <= 1.4.6.
Published: 2025-08-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the i3geek BaiduXZH Submit plugin allows attackers to inject arbitrary JavaScript into web pages that are displayed to users. This reflected XSS flaw can enable session hijacking, phishing attacks, or other malicious actions executed within the victim’s browser. The flaw arises from improper neutralization of user‑supplied input during the page rendering process, as listed under CWE‑79.

Affected Systems

WordPress sites that have installed the i3geek BaiduXZH Submit (百度熊掌号) plugin version 1.4.6 or earlier are impacted. The vulnerability is not limited to a specific deployment environment but applies to all installations where the plugin’s input fields are accessible.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate severity, and the EPSS score of <1% suggests that commercial exploitation is currently unlikely. The vulnerability is not referenced in the CISA KEV catalog. Based on the description, the likely attack vector is remote: an attacker can supply crafted input via a supplied URL or form field that is reflected back to a victim’s browser, enabling the execution of malicious scripts.

Generated by OpenCVE AI on April 30, 2026 at 09:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the BaiduXZH Submit plugin to the latest version that resolves the reflected XSS flaw.
  • If an update is unavailable, disable the plugin or restrict it to administrative users until a patch is released.
  • Apply a Web Application Firewall rule that filters or sanitizes input containing common XSS payloads targeting the plugin’s parameters.

Generated by OpenCVE AI on April 30, 2026 at 09:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24769 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in i3geek BaiduXZH Submit(百度熊掌号) allows Reflected XSS. This issue affects BaiduXZH Submit(百度熊掌号): from n/a through 1.4.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in i3geek BaiduXZH Submit(百度熊掌号) allows Reflected XSS. This issue affects BaiduXZH Submit(百度熊掌号): from n/a through 1.4.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in i3geek BaiduXZH Submit(百度熊掌号) i3geek-baiduxzh allows Reflected XSS.This issue affects BaiduXZH Submit(百度熊掌号): from n/a through <= 1.4.6.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 14 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in i3geek BaiduXZH Submit(百度熊掌号) allows Reflected XSS. This issue affects BaiduXZH Submit(百度熊掌号): from n/a through 1.4.6.
Title WordPress BaiduXZH Submit(百度熊掌号) plugin <= 1.4.6 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:58.724Z

Reserved: 2025-05-30T14:04:42.920Z

Link: CVE-2025-49063

cve-icon Vulnrichment

Updated: 2025-08-14T19:54:19.655Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:39.027

Modified: 2026-04-23T15:31:15.800

Link: CVE-2025-49063

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T09:15:28Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')