Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Robin W bbp topic count bbp-topic-count allows DOM-Based XSS.This issue affects bbp topic count: from n/a through <= 3.2.
Published: 2025-09-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the description, the vulnerability results from improper neutralization of user input during web page generation, allowing a DOM‑based XSS injection. A malicious actor can inject crafted script into the page loaded by any site visitor, potentially leading to session hijacking, defacement, or execution of further exploits in the victim’s browser context. The weakness is a classic Cross‑Site Scripting flaw (CWE‑79).

Affected Systems

This issue targets the WordPress bbp topic count plugin developed by Robin W. All released versions up to and including 3.2 are affected; versions beyond 3.2 are not known to contain the flaw.

Risk and Exploitability

The CVSS base score of 6.5 reflects moderate severity due to a client‑side exploitation path that does not require authentication. The EPSS score is reported as less than 1%, indicating a low probability of exploitation at the moment, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is a crafted URL or form input that a user clicks or submits, which the browser then interprets as executable code. Because the flaw can be triggered by any user visiting the site, all visitors are at risk if the plugin remains at an affected version.

Generated by OpenCVE AI on April 30, 2026 at 05:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest plugin update, ensuring the installed version is 3.3 or newer to remove the XSS flaw
  • If a newer version is unavailable, disable or delete the bbp topic count plugin to eliminate the attack surface
  • Consider implementing a Content Security Policy that restricts script execution from untrusted sources as an additional defense

Generated by OpenCVE AI on April 30, 2026 at 05:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31242 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Robin W bbp topic count allows DOM-Based XSS. This issue affects bbp topic count: from n/a through 3.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Robin W bbp topic count allows DOM-Based XSS. This issue affects bbp topic count: from n/a through 3.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Robin W bbp topic count bbp-topic-count allows DOM-Based XSS.This issue affects bbp topic count: from n/a through <= 3.2.
Title WordPress bbp topic count Plugin <= 3.1 - Cross Site Scripting (XSS) Vulnerability WordPress bbp topic count plugin <= 3.2 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Robin W bbp topic count allows DOM-Based XSS. This issue affects bbp topic count: from n/a through 3.1.
Title WordPress bbp topic count Plugin <= 3.1 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:56.704Z

Reserved: 2025-09-25T15:28:09.602Z

Link: CVE-2025-60163

cve-icon Vulnrichment

Updated: 2025-09-26T16:56:29.018Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T09:15:45.823

Modified: 2026-04-23T15:34:20.300

Link: CVE-2025-60163

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T06:00:12Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')