Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Weboccult Technologies Pvt Ltd Email Attachment by Order Status & Products email-attachment-by-order-status-products allows Reflected XSS.This issue affects Email Attachment by Order Status & Products: from n/a through <= 1.0.1.
Published: 2025-10-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin contains a reflected XSS flaw that allows an attacker to inject unsanitized user input into the browser during page generation. An attacker can craft a malicious input that will be echoed back in the page and executed in the victim's browser session, potentially leading to session hijacking, defacement, or theft of credentials. This weakness is a classic input validation failure, identified as CWE‑79.

Affected Systems

WordPress sites that have Weboccult Technologies Pvt Ltd Email Attachment by Order Status & Products installed in any version up to and including 1.0.1 are affected.

Risk and Exploitability

With a CVSS score of 7.1 the vulnerability is considered high severity. The EPSS score is below 1% indicating a low current exploitation probability, and the issue is not listed in CISA's KEV catalog. The likely attack vector is through the web interface where the plugin processes user input, such as URLs or form submissions that reflect data back to the page. If an attacker can deliver a crafted request to a vulnerable site, the referrer or query string gets rendered unsafely.

Generated by OpenCVE AI on April 29, 2026 at 21:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Email Attachment by Order Status & Products to a patched version if available from the vendor.
  • Restrict plugin usage to trusted administrators and enforce least‑privilege WordPress accounts.
  • If an update is not immediately available, disable the plugin until the fix is released.
  • Implement a web application firewall or content‑security‑policy rule that blocks common XSS payloads on plugin pages.

Generated by OpenCVE AI on April 29, 2026 at 21:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Weboccult Technologies Pvt Ltd Email Attachment by Order Status &amp; Products email-attachment-by-order-status-products allows Reflected XSS.This issue affects Email Attachment by Order Status &amp; Products: from n/a through <= 1.0.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Weboccult Technologies Pvt Ltd Email Attachment by Order Status & Products email-attachment-by-order-status-products allows Reflected XSS.This issue affects Email Attachment by Order Status & Products: from n/a through <= 1.0.1.

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 23 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Weboccult Technologies
Weboccult Technologies email Attachment By Order Status And Products
Wordpress
Wordpress wordpress
Vendors & Products Weboccult Technologies
Weboccult Technologies email Attachment By Order Status And Products
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Weboccult Technologies Pvt Ltd Email Attachment by Order Status &amp; Products email-attachment-by-order-status-products allows Reflected XSS.This issue affects Email Attachment by Order Status &amp; Products: from n/a through <= 1.0.1.
Title WordPress Email Attachment by Order Status & Products Plugin <= 1.0.1 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References

Subscriptions

Weboccult Technologies Email Attachment By Order Status And Products
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:28:43.883Z

Reserved: 2025-06-11T16:07:34.181Z

Link: CVE-2025-49957

cve-icon Vulnrichment

Updated: 2025-10-23T14:27:42.733Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:42.270

Modified: 2026-04-28T19:33:16.100

Link: CVE-2025-49957

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:15:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')