Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Globalis MultiSite Clone Duplicator multisite-clone-duplicator allows Reflected XSS.This issue affects MultiSite Clone Duplicator: from n/a through <= 1.5.3.
Published: 2025-10-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper neutralization of input during web page generation in the MultiSite Clone Duplicator plugin, allowing reflected XSS. This flaw (CWE-79) permits an attacker to inject script payloads into pages viewed by other users. Successful exploitation could lead to cookie theft, session hijacking or defacement of the WordPress site.

Affected Systems

The affected software is Globalis’ MultiSite Clone Duplicator plugin for WordPress multisite installations, versions from earlier releases through 1.5.3. Any installation of the plugin at or below 1.5.3 is potentially vulnerable, regardless of WordPress core version.

Risk and Exploitability

The CVSS base score of 7.1 indicates a moderate impact if exploited. The EPSS score is below 1%, suggesting a low exploitation probability, and the vulnerability is not listed in CISA KEV. The likely attack vector is the web interface where plugin parameters are reflected in responses. Administrators should assume the risk until the plugin is patched.

Generated by OpenCVE AI on April 30, 2026 at 05:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MultiSite Clone Duplicator plugin to the latest available version (1.5.4 or later) or remove it if no update is immediately available.
  • Ensure the plugin is only accessible by trusted administrators and consider disabling it for non‑admin users until the fix is applied.
  • Configure WordPress and the web server to apply strict Content‑Security‑Policy headers that block inline scripts and mitigate the impact of any residual XSS vectors.

Generated by OpenCVE AI on April 30, 2026 at 05:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Globalis MultiSite Clone Duplicator multisite-clone-duplicator allows Reflected XSS.This issue affects MultiSite Clone Duplicator: from n/a through <= 1.5.3.
Title WordPress MultiSite Clone Duplicator plugin <= 1.5.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:18.269Z

Reserved: 2025-06-19T10:03:02.782Z

Link: CVE-2025-52760

cve-icon Vulnrichment

Updated: 2025-10-23T13:35:52.695Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:45.937

Modified: 2026-04-27T17:16:27.080

Link: CVE-2025-52760

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:45:16Z

Weaknesses