Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flexostudio Flexo Counter flexo-countdown allows Reflected XSS.This issue affects Flexo Counter: from n/a through <= 1.0001.
Published: 2025-06-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Flexo Counter WordPress plugin is vulnerable to reflected cross‑site scripting due to improper input neutralisation during page generation. An attacker who can craft a URL containing malicious JavaScript can cause that code to execute in the browser of any visitor who follows the link, leading to cookie theft, session hijacking, defacement, or the loading of malicious resources.

Affected Systems

The flaw affects the Flexo Counter plugin from flexostudio, from the earliest released version up to and including version 1.0001. Users running any of these versions on a WordPress site are vulnerable.

Risk and Exploitability

The CVSS score is 7.1, indicating a medium‑to‑high severity with a high impact on confidentiality, integrity and availability of user sessions. The EPSS score is below 1%, suggesting that exploitation attempts are unlikely at this time, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is web‑based; an attacker can exploit the flaw by embedding a malicious payload in a URL that is accessed by unsuspecting visitors. The vulnerability is reflected, meaning the attacker does not need any privileged access to the site to deliver the payload.

Generated by OpenCVE AI on April 30, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Flexo Counter to a version that fixes the XSS flaw (e.g., 1.0002 or later).
  • If an update is not immediately available, disable or uninstall the Flexo Counter plugin to remove the exposure.
  • Apply a web application firewall rule or content‑filtering policy to block or neutralise malicious script payloads if the plugin must remain active as a temporary measure.

Generated by OpenCVE AI on April 30, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19290 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flexostudio Flexo Counter allows Reflected XSS. This issue affects Flexo Counter: from n/a through 1.0001.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flexostudio Flexo Counter allows Reflected XSS. This issue affects Flexo Counter: from n/a through 1.0001. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flexostudio Flexo Counter flexo-countdown allows Reflected XSS.This issue affects Flexo Counter: from n/a through <= 1.0001.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 27 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 12:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flexostudio Flexo Counter allows Reflected XSS. This issue affects Flexo Counter: from n/a through 1.0001.
Title WordPress Flexo Counter plugin <= 1.0001 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:16.986Z

Reserved: 2025-06-11T16:08:50.968Z

Link: CVE-2025-50052

cve-icon Vulnrichment

Updated: 2025-06-27T12:43:01.280Z

cve-icon NVD

Status : Deferred

Published: 2025-06-27T12:15:38.837

Modified: 2026-04-23T15:32:03.290

Link: CVE-2025-50052

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T17:30:26Z

Weaknesses