Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Nuss nuss allows Reflected XSS.This issue affects Nuss: from n/a through <= 1.3.3.
Published: 2025-08-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper Neutralization of Input During Web Page Generation leads to a reflected XSS flaw that allows an attacker to inject arbitrary scripts into pages served by the Nuss theme. When a victim clicks a crafted link, the malicious script runs in their browser, potentially enabling session hijacking, data theft, or site defacement. The vulnerability is a classic input validation weakness (CWE‑79) and does not grant arbitrary code execution on the server side.

Affected Systems

The affected product is the WordPress theme Nuss from vendor uxper. All theme releases up to and including version 1.3.3 are vulnerable. No other versions are listed as impacted.

Risk and Exploitability

The CVSS score is 7.1, indicating a medium‑high severity risk. EPSS indicates an exploitation probability of less than 1 %, so active exploitation is currently unlikely. The vulnerability is not in CISA’s KEV catalog, and no public exploits have been reported. The likely attack vector is the web, requiring the attacker to entice a user to visit a maliciously crafted URL or page. Administrators should treat this as a moderate‑to‑high risk that warrants immediate mitigation.

Generated by OpenCVE AI on April 30, 2026 at 15:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Nuss theme to a version newer than 1.3.3 to receive the vendor‑supplied patch that eliminates the XSS flaw.
  • If an immediate theme upgrade is not possible, remove or disable the Nuss theme from the site until the vulnerability can be resolved.
  • Apply application–level sanitization for any data rendered by the theme, using WordPress built‑in functions such as esc_attr() and wp_kses(), to prevent enactment of injected scripts.

Generated by OpenCVE AI on April 30, 2026 at 15:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25366 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in liseperu Elizaibots allows Stored XSS. This issue affects Elizaibots: from n/a through 1.0.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in liseperu Elizaibots allows Stored XSS. This issue affects Elizaibots: from n/a through 1.0.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Nuss nuss allows Reflected XSS.This issue affects Nuss: from n/a through <= 1.3.3.
Title WordPress Elizaibots plugin <= 1.0.2 - Cross Site Scripting (XSS) vulnerability WordPress Nuss Theme <= 1.3.3 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in liseperu Elizaibots allows Stored XSS. This issue affects Elizaibots: from n/a through 1.0.2.
Title WordPress Elizaibots plugin <= 1.0.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:07.341Z

Reserved: 2025-06-11T16:06:23.852Z

Link: CVE-2025-49893

cve-icon Vulnrichment

Updated: 2025-08-20T17:50:32.480Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:38.820

Modified: 2026-04-23T15:31:47.900

Link: CVE-2025-49893

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:00:13Z

Weaknesses