Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bobbingwide oik oik allows Reflected XSS.This issue affects oik: from n/a through <= 4.15.2.
Published: 2025-08-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation (CWE‑79), allowing reflected XSS in the bobbingwide oik WordPress plugin. An attacker can craft input that is echoed back into the page without proper encoding. This enables arbitrary script execution within the victim’s browser when they view the affected page, potentially compromising confidentiality, integrity, and availability of the web application for users who encounter the page.

Affected Systems

WordPress sites that use the bobbingwide oik plugin up to and including version 4.15.2 are affected. Any deployment of the plugin in that version range must be examined; upgrading to any revision thereafter removes the known flaw.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, but the EPSS score of less than 1 % suggests a low probability of active exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. It is a reflected XSS vulnerability, meaning an attacker can trigger it by supplying a crafted request that reaches the vulnerable endpoint, which typically requires no authentication. An attacker could thus execute arbitrary JavaScript in the context of the victim’s session when the biased input is reflected.

Generated by OpenCVE AI on May 1, 2026 at 06:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the oik plugin to any version newer than 4.15.2.
  • If an upgrade cannot be performed immediately, restrict access to the plugin’s publicly reachable pages or disable the plugin on untrusted sites to mitigate exploitation risk.
  • Maintain awareness of vendor advisories and apply future patches promptly when available.

Generated by OpenCVE AI on May 1, 2026 at 06:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28562 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bobbingwide oik allows Reflected XSS. This issue affects oik: from n/a through 4.15.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bobbingwide oik allows Reflected XSS. This issue affects oik: from n/a through 4.15.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bobbingwide oik oik allows Reflected XSS.This issue affects oik: from n/a through <= 4.15.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Bobbingwide
Bobbingwide oik
Wordpress
Wordpress wordpress
Vendors & Products Bobbingwide
Bobbingwide oik
Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bobbingwide oik allows Reflected XSS. This issue affects oik: from n/a through 4.15.2.
Title WordPress oik Plugin <= 4.15.2 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Bobbingwide Oik
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:34.234Z

Reserved: 2025-07-28T10:55:38.572Z

Link: CVE-2025-54670

cve-icon Vulnrichment

Updated: 2025-08-20T13:56:18.192Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:48.850

Modified: 2026-04-23T15:32:47.557

Link: CVE-2025-54670

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:45:11Z

Weaknesses