Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Reflected XSS.This issue affects NextMove Lite: from n/a through <= 2.24.0.
Published: 2025-10-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an improper neutralization of input during web page generation that results in a reflected XSS flaw. A malicious payload embedded in a request can be reflected back into the rendered thank‑you page, allowing an attacker to execute arbitrary JavaScript in the victim’s browser.

Affected Systems

The XLPlugins NextMove Lite Woo‑Thank‑You‑Page plugin for WordPress is affected in all releases from the initial release through version 2.24.0. The vulnerability is identified in versions 2.24.0 and earlier; newer releases are not affected. The plugin is available for WordPress installations.

Risk and Exploitability

The CVSS v3.1 base score is 7.1, indicating moderate severity. The EPSS score is below 1%, suggesting exploitation is uncommon. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by crafting a URL or form input that contains malicious JavaScript, which is reflected by the plugin when the thank‑you page is generated. Because it is a reflected XSS, an attacker needs the victim to open a crafted link or otherwise submit the payload. Based on the description, it is inferred that no authentication is required; the vulnerability can be triggered by an unauthenticated user through the public thank‑you page.

Generated by OpenCVE AI on April 30, 2026 at 14:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the XLPlugins NextMove Lite plugin to version 2.25.0 or later where the XSS flaw is patched.
  • If an immediate upgrade is not possible, temporarily disable or uninstall the plugin to eliminate the reflected XSS surface.
  • Add a strong Content Security Policy to your WordPress site that blocks inline scripts and restricts script sources, reducing the impact of any remaining XSS vectors.

Generated by OpenCVE AI on April 30, 2026 at 14:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Reflected XSS.This issue affects NextMove Lite: from n/a through <= 2.21.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Reflected XSS.This issue affects NextMove Lite: from n/a through <= 2.24.0.
Title WordPress NextMove Lite plugin <= 2.21.0 - Cross Site Scripting (XSS) vulnerability WordPress NextMove Lite plugin <= 2.24.0 - Cross Site Scripting (XSS) vulnerability

Mon, 02 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:xlplugins:nextmove:*:*:*:*:lite:wordpress:*:*

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Thu, 23 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Xlplugins
Xlplugins nextmove
Vendors & Products Wordpress
Wordpress wordpress
Xlplugins
Xlplugins nextmove

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Reflected XSS.This issue affects NextMove Lite: from n/a through <= 2.21.0.
Title WordPress NextMove Lite plugin <= 2.21.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
Xlplugins Nextmove
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:17.689Z

Reserved: 2025-06-19T10:02:39.648Z

Link: CVE-2025-52735

cve-icon Vulnrichment

Updated: 2025-10-23T14:08:52.514Z

cve-icon NVD

Status : Modified

Published: 2025-10-22T15:15:43.563

Modified: 2026-04-27T17:16:26.303

Link: CVE-2025-52735

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T15:00:14Z

Weaknesses