Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michel - xiligroup dev xili-dictionary xili-dictionary allows Reflected XSS.This issue affects xili-dictionary: from n/a through <= 2.12.5.2.
Published: 2025-06-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper neutralization of input during web page generation (Cross‑Site Scripting) is present in the xili‑dictionary WordPress plugin. Attackers can embed malicious scripts that are reflected back to a visitor’s browser when the page is rendered, enabling execution of code in the context of the site’s users. The flaw falls under CWE‑79.

Affected Systems

The vulnerability affects the Michel‑xiligroup dev xili‑dictionary plugin for WordPress, all releases up to and including version 2.12.5.2. Any WordPress site that has this plugin installed and hasn’t upgraded beyond that version is potentially exposed.

Risk and Exploitability

The CVSS score of 7.1 marks this as a high‑severity issue, while an EPSS score of less than 1% indicates a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers can remote‑trigger the reflected XSS by crafting a malicious URL or input that the plugin processes, requiring the victim to visit a crafted link or interact with the plugin’s page.

Generated by OpenCVE AI on April 30, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the xili‑dictionary plugin to a version newer than 2.12.5.2 if an update is available from the vendor or the WordPress repository.
  • If an immediate upgrade is not possible, disable or remove the plugin from publicly accessible pages, or restrict its functionality to administrator accounts only.
  • Apply a strong Content Security Policy that disallows inline scripts and restricts script sources to mitigate the effects of reflected XSS.

Generated by OpenCVE AI on April 30, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19301 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michel - xiligroup dev xili-dictionary allows Reflected XSS. This issue affects xili-dictionary: from n/a through 2.12.5.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michel - xiligroup dev xili-dictionary allows Reflected XSS. This issue affects xili-dictionary: from n/a through 2.12.5.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michel - xiligroup dev xili-dictionary xili-dictionary allows Reflected XSS.This issue affects xili-dictionary: from n/a through <= 2.12.5.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 27 Jun 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 12:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michel - xiligroup dev xili-dictionary allows Reflected XSS. This issue affects xili-dictionary: from n/a through 2.12.5.2.
Title WordPress xili-dictionary plugin <= 2.12.5.2 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:18.649Z

Reserved: 2025-06-19T10:03:15.195Z

Link: CVE-2025-52778

cve-icon Vulnrichment

Updated: 2025-06-27T13:07:48.503Z

cve-icon NVD

Status : Deferred

Published: 2025-06-27T12:15:41.910

Modified: 2026-04-23T15:32:09.373

Link: CVE-2025-52778

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T17:30:26Z

Weaknesses