Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Subscriptions Zoho Billing zoho-subscriptions allows DOM-Based XSS.This issue affects Zoho Billing: from n/a through <= 4.1.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a DOM-based cross-site scripting flaw present in the Zoho Subscriptions Zoho Billing plugin up to version 4.1. Attackers can inject arbitrary JavaScript into the page that is rendered by the plugin, potentially enabling session hijacking, credential theft, or other client-side attacks. The weakness is classified as CWE‑79, underscoring the failure to neutralize input before it is included in the web page.

Affected Systems

WordPress sites that install the Zoho Billing plugin from Zoho Subscriptions and are running any version through 4.1 are affected. No vendor-supplied sub-versions are listed, so the entire range up to the 4.1 release is vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% shows a very low probability of exploitation in the current environment. Because the flaw is DOM-based, an attacker must entice a legitimate user to visit a maliciously crafted link or submit a form that contains the vulnerable input; remote code execution is limited to the victim’s browser. The vulnerability is not listed in the CISA KEV catalog, which further reduces the likelihood of mass-scale exploitation.

Generated by OpenCVE AI on April 30, 2026 at 00:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Zoho Billing plugin to the latest available version (4.2 or newer) to remove the XSS defect.
  • If a newer release is unavailable, deactivate or uninstall the plugin until an update is released.
  • Implement a web application firewall rule or security plugin setting that blocks script payloads targeting the plugin’s parameters to reduce exposure while a permanent fix is deployed.

Generated by OpenCVE AI on April 30, 2026 at 00:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30711 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Subscriptions Zoho Billing allows DOM-Based XSS. This issue affects Zoho Billing: from n/a through 4.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Subscriptions Zoho Billing allows DOM-Based XSS. This issue affects Zoho Billing: from n/a through 4.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Subscriptions Zoho Billing zoho-subscriptions allows DOM-Based XSS.This issue affects Zoho Billing: from n/a through <= 4.1.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 23 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Subscriptions Zoho Billing allows DOM-Based XSS. This issue affects Zoho Billing: from n/a through 4.1.
Title WordPress Zoho Billing Plugin <= 4.1 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:39.447Z

Reserved: 2025-08-22T11:36:51.670Z

Link: CVE-2025-57963

cve-icon Vulnrichment

Updated: 2025-09-23T14:19:43.668Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:15:55.333

Modified: 2026-04-23T15:33:08.447

Link: CVE-2025-57963

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T01:00:13Z

Weaknesses