Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saleswonder Team: Tobias WP2LEADS wp2leads allows Reflected XSS.This issue affects WP2LEADS: from n/a through <= 3.5.0.
Published: 2025-06-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper neutralization of input during web page generation allows reflected cross‑site scripting. The attacker can embed malicious JavaScript that executes in the victim’s browser, potentially stealing session cookies, tampering with data, defacing the site, or redirecting to phishing pages. This vulnerability is classified as CWE‑79 and can compromise confidentiality, integrity, and user trust for any user who visits a crafted URL.

Affected Systems

WordPress sites that have the Saleswonder Team: Tobias WP2LEADS plugin version 3.5.0 or older installed are affected. The vulnerability applies to all instances of this plugin regardless of WordPress configuration. No other WordPress core or third‑party components are mentioned as affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, yet the EPSS score of less than 1% suggests the likelihood of exploitation is very low. The vulnerability is not listed in the CISA KEV catalog, and no active public exploits have been reported. The likely attack vector is an HTTP request containing unsanitized parameters that the plugin echoes back to the browser; a malicious link or form submission can deliver the payload to a victim’s browser when they click or submit data.

Generated by OpenCVE AI on April 30, 2026 at 17:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP2LEADS plugin to version 3.5.1 or later where the XSS issue is fixed.
  • If an upgrade is not immediately possible, configure a Web Application Firewall to detect and block XSS payloads or instruct users to avoid clicking untrusted links in emails or external sites.
  • As a temporary workaround, consider disabling or removing the WP2LEADS plugin if it is not essential to site functionality to eliminate the attack surface.

Generated by OpenCVE AI on April 30, 2026 at 17:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28294 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saleswonder Team Tobias WP2LEADS allows Reflected XSS. This issue affects WP2LEADS: from n/a through 3.5.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saleswonder Team Tobias WP2LEADS allows Reflected XSS. This issue affects WP2LEADS: from n/a through 3.5.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saleswonder Team: Tobias WP2LEADS wp2leads allows Reflected XSS.This issue affects WP2LEADS: from n/a through <= 3.5.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 20 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saleswonder Team Tobias WP2LEADS allows Reflected XSS. This issue affects WP2LEADS: from n/a through 3.5.0.
Title WordPress WP2LEADS plugin <= 3.5.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:00.770Z

Reserved: 2025-06-04T09:42:07.048Z

Link: CVE-2025-49316

cve-icon Vulnrichment

Updated: 2025-06-18T14:19:59.822Z

cve-icon NVD

Status : Deferred

Published: 2025-06-17T15:15:48.510

Modified: 2026-04-23T15:31:27.147

Link: CVE-2025-49316

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T18:00:14Z

Weaknesses