Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NickDuncan Nifty Backups nifty-backups allows Reflected XSS.This issue affects Nifty Backups: from n/a through <= 1.08.
Published: 2025-10-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation that allows reflected cross‑site scripting. An attacker can supply malicious script via request parameters that is echoed back to the browser, enabling the execution of arbitrary javascript in the context of the site. This can lead to cookie theft, session hijacking, or defacement of the site.

Affected Systems

The issue affects the NickDuncan Nifty Backups plugin for WordPress. Versions from the earliest release up to and including 1.08 are vulnerable, as the flaw exists in all releases up to 1.08.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity vulnerability. The EPSS score of less than 1% suggests a very low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a reflected XSS payload injected through the plugin's web interface, requiring an affected user to visit a crafted URL or interact with vulnerable input. The vulnerability could be exploited by an attacker who can lure the target to a malicious link or by compromising a site that serves the vulnerable plugin to visitors.

Generated by OpenCVE AI on April 29, 2026 at 16:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Nifty Backups plugin to a version newer than 1.08 or remove the plugin from the WordPress installation
  • If an update cannot be applied immediately, restrict or disable the plugin’s administrative functions to prevent the vulnerable input from being processed
  • Perform a site audit for injected scripts and run a vulnerability scanner to confirm that the reflected XSS issue has been resolved

Generated by OpenCVE AI on April 29, 2026 at 16:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NickDuncan Nifty Backups nifty-backups allows Reflected XSS.This issue affects Nifty Backups: from n/a through <= 1.08.
Title WordPress Nifty Backups plugin <= 1.08 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:05:29.693Z

Reserved: 2025-06-19T10:03:02.783Z

Link: CVE-2025-52763

cve-icon Vulnrichment

Updated: 2025-10-23T15:35:37.184Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:46.063

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-52763

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:45:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')