Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xolluteon Dropshix allows DOM-Based XSS.This issue affects Dropshix: from n/a through 4.0.14.
Published: 2025-08-15
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a DOM‑based cross‑site scripting flaw caused by improper neutralization of user input during web page generation. It lets an attacker inject malicious script into pages viewed by users, enabling session hijacking, credential theft, or site defacement. This weakness is catalogued as CWE‑79.

Affected Systems

The affected application is the WordPress Dropshix plugin developed by Xolluteon. Versions up to and including 4.0.14 are vulnerable, so any site that uses that release of the plugin is at risk.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity. The EPSS score of less than 1 % suggests exploitation is unlikely but possible, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a crafted URL or abusive input that triggers client‑side script execution in the browser; attackers would need to lure a victim into visiting a page containing the malicious payload. While exploitation is currently uncommon, the high severity warrants prompt action to prevent potential compromise.

Generated by OpenCVE AI on April 30, 2026 at 16:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dropshix to version 4.0.15 or later, which removes the DOM‑based XSS flaw.
  • If an upgrade is not immediately possible, disable the plugin or remove its exposed user‑input endpoints to prevent exploitation.
  • Regularly audit plugins for input validation issues and apply vendor patches in a timely manner.

Generated by OpenCVE AI on April 30, 2026 at 16:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25040 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xolluteon Dropshix allows DOM-Based XSS.This issue affects Dropshix: from n/a through 4.0.14.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Xolluteon School Management school-management allows SQL Injection.This issue affects School Management: from n/a through <= 93.2.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xolluteon Dropshix allows DOM-Based XSS.This issue affects Dropshix: from n/a through 4.0.14.
Title WordPress School Management Plugin <= 93.2.0 - SQL Injection Vulnerability WordPress Dropshix plugin <= 4.0.14 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xolluteon Dropshix allows DOM-Based XSS.This issue affects Dropshix: from n/a through 4.0.14. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Xolluteon School Management school-management allows SQL Injection.This issue affects School Management: from n/a through <= 93.2.0.
Title WordPress Dropshix plugin <= 4.0.14 - Cross Site Scripting (XSS) vulnerability WordPress School Management Plugin <= 93.2.0 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Sat, 16 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 15 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 Aug 2025 15:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xolluteon Dropshix allows DOM-Based XSS.This issue affects Dropshix: from n/a through 4.0.14.
Title WordPress Dropshix plugin <= 4.0.14 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:07.386Z

Reserved: 2025-06-11T16:06:34.447Z

Link: CVE-2025-49898

cve-icon Vulnrichment

Updated: 2025-08-15T19:12:05.315Z

cve-icon NVD

Status : Deferred

Published: 2025-08-15T16:15:29.957

Modified: 2026-04-28T19:33:11.620

Link: CVE-2025-49898

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:15:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')