Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in karimmughal Dot html,php,xml etc pages dot-htmlphpxml-etc-pages allows Reflected XSS.This issue affects Dot html,php,xml etc pages: from n/a through <= 1.0.
Published: 2025-07-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Dot html,php,xml etc pages WordPress plugin contains an improper neutralization of input during web page generation. An attacker can supply crafted data that is reflected back into the page without proper encoding, leading to a reflected XSS vulnerability as described by CWE‑79. The vulnerability can allow execution of arbitrary scripts in the victim’s browser, potentially capturing credentials or performing actions on behalf of the user.

Affected Systems

Affected systems include any WordPress installation that has the karimmughal Dot html,php,xml etc pages plugin at version 1.0 or earlier. The naming indicates that all releases from the earliest available through version 1.0 are vulnerable; no later versions are mentioned as fixed.

Risk and Exploitability

The CVSS score of 7.1 highlights a significant impact, while the EPSS score of less than 1% suggests a low current probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. An attacker can exploit the flaw by crafting a URL or form input that the plugin echoes back to a visitor, so the likely attack vector is via reflected input in a web page that the user views. The exploit does not require authentication and can be performed over HTTP or HTTPS.

Generated by OpenCVE AI on April 30, 2026 at 09:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Dot html,php,xml etc pages plugin to a version newer than 1.0 or replace it with an alternative that properly sanitizes input.
  • If an upgrade is not immediately available, deactivate or uninstall the plugin to eliminate the XSS surface.
  • Implement input validation and output encoding in the plugin code, ensuring that any data reflected in HTML, XML, or PHP pages is properly escaped according to best practices for preventing XSS.

Generated by OpenCVE AI on April 30, 2026 at 09:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21635 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in karimmughal Dot html,php,xml etc pages allows Reflected XSS. This issue affects Dot html,php,xml etc pages: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in karimmughal Dot html,php,xml etc pages allows Reflected XSS. This issue affects Dot html,php,xml etc pages: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in karimmughal Dot html,php,xml etc pages dot-htmlphpxml-etc-pages allows Reflected XSS.This issue affects Dot html,php,xml etc pages: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00032}

Wed, 16 Jul 2025 11:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in karimmughal Dot html,php,xml etc pages allows Reflected XSS. This issue affects Dot html,php,xml etc pages: from n/a through 1.0.
Title WordPress Dot html,php,xml etc pages plugin <= 1.0 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:18.697Z

Reserved: 2025-06-19T10:03:15.195Z

Link: CVE-2025-52779

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2025-07-16T12:15:28.937

Modified: 2026-04-23T15:32:09.477

Link: CVE-2025-52779

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T09:30:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')