Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Directory Pro directory-pro allows Reflected XSS.This issue affects Directory Pro: from n/a through <= 2.5.5.
Published: 2025-10-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation allows a reflected XSS flaw in the e-plugins Directory Pro plugin. The vulnerability lets an attacker embed malicious scripts into page content that is returned to a victim’s browser, potentially enabling credential theft, session hijacking, or delivery of arbitrary malware. This weakness is identified as CWE‑79 and can affect an attacker’s ability to compromise confidentiality or integrity on visited sites.

Affected Systems

WordPress sites that use the Directory Pro plugin version 2.5.5 or earlier are affected. The plugin is distributed by e‑plugins and installed as a WordPress component, so any site running the plugin without updates is vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate to high severity. The EPSS score is below 1 %, showing a very low current exploitation probability, and the issue is not listed in the CISA KEV catalog. A typical attack requires the victim to click a crafted link or submit malicious input via the plugin UI, making exploitation dependent on user interaction. Because the flaw is reflected, it can be triggered by arbitrary URLs, but does not grant direct code execution or persistence on the host.

Generated by OpenCVE AI on April 29, 2026 at 21:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Directory Pro plugin version (2.5.6 or newer) to address the XSS vulnerability.
  • After updating, audit and cleanse existing content for any previously injected scripts that may remain in stored input fields.
  • Deploy a Web Application Firewall rule that blocks common XSS payloads on Directory Pro form submissions until the plugin is fully patched.

Generated by OpenCVE AI on April 29, 2026 at 21:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared E-plugins
E-plugins directory Pro
Wordpress
Wordpress wordpress
Vendors & Products E-plugins
E-plugins directory Pro
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Directory Pro directory-pro allows Reflected XSS.This issue affects Directory Pro: from n/a through <= 2.5.5.
Title WordPress Directory Pro plugin <= 2.5.5 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References

Subscriptions

E-plugins Directory Pro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:03:57.830Z

Reserved: 2025-06-19T10:02:55.535Z

Link: CVE-2025-52748

cve-icon Vulnrichment

Updated: 2025-10-23T15:14:12.810Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:44.593

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-52748

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:15:16Z

Weaknesses