Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in G5Theme Grid Plus grid-plus allows Reflected XSS.This issue affects Grid Plus: from n/a through <= 3.3.
Published: 2025-10-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Improper Neutralization of Input During Web Page Generation, allowing attackers to inject arbitrary script via reflected input; it is a classic reflected XSS (CWE‑79). This flaw can potentially steal cookies, hijack sessions, or execute unauthorized actions within the victim’s browser by reflecting untrusted data back to the page without proper sanitization.

Affected Systems

Grid Plus plugin for WordPress, distributed by G5Theme. All releases from the earliest available version up to and including 3.3 are affected; versions 3.4 and later are presumed to contain the fix.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate severity, while the EPSS score of less than 1% shows a very low current exploitation probability and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is the injection of malicious script via a crafted URL or form field that is reflected back into the page, requiring only that the victim visit the link or submit the payload. No additional privileges or vulnerabilities are required, so the risk is limited to user interactions and client‑side compromise.

Generated by OpenCVE AI on April 29, 2026 at 16:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade G5Theme Grid Plus to the latest version (≥3.4) that removes the XSS flaw.
  • If an immediate upgrade is not possible, implement a Content Security Policy that blocks inline scripts and restricts allowed script sources to mitigate the impact of reflected XSS.
  • Deploy a web application firewall or configure WordPress security plugins to filter and block malicious input targeting the Grid Plus plugin.

Generated by OpenCVE AI on April 29, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared G5theme
G5theme grid-plus
Wordpress
Wordpress wordpress
Vendors & Products G5theme
G5theme grid-plus
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in G5Theme Grid Plus grid-plus allows Reflected XSS.This issue affects Grid Plus: from n/a through <= 3.3.
Title WordPress Grid Plus plugin <= 3.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

G5theme Grid-plus
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:13:20.506Z

Reserved: 2025-06-27T11:59:38.159Z

Link: CVE-2025-53352

cve-icon Vulnrichment

Updated: 2025-10-23T16:09:44.975Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:49.183

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-53352

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:45:15Z

Weaknesses