Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eboekhouden e-Boekhouden.nl e-boekhoudennl-connector allows Reflected XSS.This issue affects e-Boekhouden.nl: from n/a through <= 1.9.3.
Published: 2025-08-28
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper neutralization of input during web page generation, permitting reflected XSS in the e‑boekhouden.nl WordPress plugin. An attacker can supply crafted user input that the plugin incorporates into the page without adequate escaping, resulting in the execution of arbitrary JavaScript in the victim’s browser.

Affected Systems

The flaw affects the e‑boekhouden.nl WordPress plugin version 1.9.3 and all earlier releases. Users who have installed this plugin on their WordPress sites are potentially vulnerable.

Risk and Exploitability

The vulnerability is scored 7.1 on CVSS, indicating a high‑risk issue. The EPSS score of less than 1% suggests the probability of exploitation is low but not zero, and the vulnerability is not yet listed in the CISA KEV catalog. Based on the description it is inferred that the attack vector involves a reflected XSS attack; an adversary would need to craft a malicious link that is reflected by the plugin and obtain a victim user to visit it, allowing the execution of client‑side code and potential data exfiltration or session hijacking.

Generated by OpenCVE AI on April 30, 2026 at 07:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the e‑boekhouden.nl plugin to a version newer than 1.9.3, which contains the XSS fix.
  • If an update is not immediately available, temporarily disable the affected functionality or restrict user input to a whitelist of safe characters to prevent code injection.
  • Implement a WAF rule or a Content Security Policy that blocks or sanitizes attempts to inject arbitrary JavaScript into pages served by the plugin.

Generated by OpenCVE AI on April 30, 2026 at 07:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26000 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eboekhouden e-Boekhouden.nl allows Reflected XSS. This issue affects e-Boekhouden.nl: from n/a through 1.9.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eboekhouden e-Boekhouden.nl allows Reflected XSS. This issue affects e-Boekhouden.nl: from n/a through 1.9.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eboekhouden e-Boekhouden.nl e-boekhoudennl-connector allows Reflected XSS.This issue affects e-Boekhouden.nl: from n/a through <= 1.9.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 29 Aug 2025 09:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 Aug 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 28 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eboekhouden e-Boekhouden.nl allows Reflected XSS. This issue affects e-Boekhouden.nl: from n/a through 1.9.3.
Title WordPress e-Boekhouden.nl Plugin <= 1.9.3 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:21.507Z

Reserved: 2025-06-27T10:28:03.499Z

Link: CVE-2025-53225

cve-icon Vulnrichment

Updated: 2025-08-28T13:29:36.529Z

cve-icon NVD

Status : Deferred

Published: 2025-08-28T13:16:01.757

Modified: 2026-04-23T15:32:19.420

Link: CVE-2025-53225

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T07:45:26Z

Weaknesses