Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soflyy WP Wizard Cloak wp-wizard-cloak allows Reflected XSS.This issue affects WP Wizard Cloak: from n/a through <= 1.0.1.
Published: 2026-02-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected Cross‑Site Scripting (XSS) flaw in the WP Wizard Cloak plugin that allows an attacker to inject malicious scripts into pages served to users. This can lead to theft of session cookies, credential hijacking, defacement of content, or redirection to phishing sites, thereby compromising user confidentiality and the integrity of the website. The weakness arises from improper neutralization of user input during page rendering and is catalogued as CWE‑79.

Affected Systems

The flaw affects the WP Wizard Cloak plugin sold by Soflyy for WordPress sites. Versions up to and including 1.0.1 are impacted. Any WordPress site running those versions is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a reflected XSS via crafted URL parameters or form input that the plugin fails to sanitize, requiring an end‑user to load a malicious link or enter malicious data.

Generated by OpenCVE AI on April 29, 2026 at 14:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Wizard Cloak plugin to the latest available version (>=1.0.2).
  • If an immediate update is not possible, disable or remove the plugin from the WordPress installation.
  • Implement a Content Security Policy that disallows inline scripts and restricts allowed origins.
  • Consider using a web application firewall that blocks common XSS payloads.

Generated by OpenCVE AI on April 29, 2026 at 14:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Soflyy
Soflyy wp Wizard Cloak
Wordpress
Wordpress wordpress
Vendors & Products Soflyy
Soflyy wp Wizard Cloak
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soflyy WP Wizard Cloak wp-wizard-cloak allows Reflected XSS.This issue affects WP Wizard Cloak: from n/a through <= 1.0.1.
Title WordPress WP Wizard Cloak Plugin <= 1.0.1 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References

Subscriptions

Soflyy Wp Wizard Cloak
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:12:19.056Z

Reserved: 2025-06-27T10:28:11.948Z

Link: CVE-2025-53237

cve-icon Vulnrichment

Updated: 2026-02-23T21:46:55.798Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:02.223

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-53237

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T14:45:13Z

Weaknesses