Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in colome Slide Puzzle slide-puzzle allows Reflected XSS.This issue affects Slide Puzzle: from n/a through <= 1.0.0.
Published: 2025-10-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an improper neutralization of input during web page generation, identified as CWE‑79, that enables reflected XSS. When a user visits a maliciously crafted URL or submits malicious data to Slide Puzzle, the plugin outputs the input back to the page without proper escaping. An attacker could then run arbitrary JavaScript in the victim’s browser, which could be used to hijack the session, steal cookies, or deface the site.

Affected Systems

The affected product is colome Slide Puzzle, any release from the earliest available through version 1.0.0. No higher versions are known to be affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, but the EPSS score of less than 1% and its absence from the CISA KEV catalog suggest a low likelihood of active exploitation at this time. Attackers would likely need to lure a user to a crafted link or inject data into a form that the plugin reflects, which is a typical web‑based attack vector. Although current exploitation probability is low, the impact of a successful exploit is significant for sites that rely on the plugin.

Generated by OpenCVE AI on April 29, 2026 at 16:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Slide Puzzle to a version newer than 1.0.0 once the vendor releases a fix.
  • If no update is available, disable or remove the plugin from the site.
  • Ensure that all user‑supplied data processed by the plugin is server‑side validated and properly escaped before rendering.

Generated by OpenCVE AI on April 29, 2026 at 16:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in colome Slide Puzzle slide-puzzle allows Reflected XSS.This issue affects Slide Puzzle: from n/a through <= 1.0.0.
Title WordPress Slide Puzzle plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:04:27.969Z

Reserved: 2025-06-19T10:02:55.535Z

Link: CVE-2025-52751

cve-icon Vulnrichment

Updated: 2025-10-23T15:17:23.693Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:44.947

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-52751

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:45:15Z

Weaknesses