Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in selloio Sello ChannelConnector sello-channelconnector allows Reflected XSS.This issue affects Sello ChannelConnector: from n/a through <= 1.6.3.
Published: 2025-10-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Sello ChannelConnector plugin contains a reflected cross‑site scripting flaw that allows attackers to inject arbitrary scripts into web pages viewed by users. If an attacker can craft a URL that includes malicious payload, any user who visits that link will have the script executed in their browser, potentially hijacking sessions, stealing credentials, or defacing the site. This vulnerability arises from improper sanitization of user input during web page generation and is classified as CWE‑79.

Affected Systems

WordPress sites that have the Sello ChannelConnector plugin installed at versions 1.6.3 or earlier are affected. The plugin is distributed by selloio under the name Sello ChannelConnector. No later versions are listed as vulnerable.

Risk and Exploitability

The CVSS score for this flaw is 7.1, indicating a high severity level. The EPSS score is below 1 %, suggesting a low exploitation probability in the current threat landscape, and the vulnerability is not listed in the CISA KEV catalog. However, because XSS can be triggered by a crafted link and does not require privileged access, the attack vector is potentially reachable in public‑facing content such as comments, search queries, or plugin settings.

Generated by OpenCVE AI on April 29, 2026 at 21:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Sello ChannelConnector plugin to the latest available version (1.6.4 or newer).
  • If an update cannot be applied immediately, disable the plugin or remove it from the WordPress installation to eliminate the attack surface.
  • Implement a Web Application Firewall rule that strips or sanitizes script tags from requests targeting the plugin’s endpoints.

Generated by OpenCVE AI on April 29, 2026 at 21:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in selloio Sello ChannelConnector sello-channelconnector allows Reflected XSS.This issue affects Sello ChannelConnector: from n/a through <= 1.6.3.
Title WordPress Sello ChannelConnector plugin <= 1.6.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:04:58.173Z

Reserved: 2025-06-19T10:02:55.535Z

Link: CVE-2025-52754

cve-icon Vulnrichment

Updated: 2025-10-23T15:29:29.295Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:45.313

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-52754

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:15:16Z

Weaknesses