Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Schiocco Support Board supportboard allows Reflected XSS.This issue affects Support Board: from n/a through < 3.8.7.
Published: 2025-12-18
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation that allows malicious JavaScript to be reflected back to users who view a page that includes the plugin’s input fields. An attacker can embed a crafted URL or form payload that contains executable script; when an authenticated or unauthenticated visitor opens the page, the script runs in the victim’s browser. The impact is client‑side code execution which can lead to session hijacking, credential theft, or delivery of phishing content, thereby compromising confidentiality and integrity of the user session.

Affected Systems

Schiocco Support Board plugin, versions prior to 3.8.7 (any release starting from the first available version up to 3.8.6).

Risk and Exploitability

The CVSS score of 7.1 classifies this as high severity. The EPSS score of less than 1% indicates that, while exploitation is possible, the likelihood of widespread attacks is currently low. The vendor does not list this issue in the CISA KEV catalog. Attack requires a user to visit a crafted URL or interact with a form that the plugin processes, after which the attacker’s script is executed in the victim’s browser. No additional privileges or network connectivity are necessary beyond the target web application.

Generated by OpenCVE AI on April 29, 2026 at 13:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Support Board plugin to version 3.8.7 or later.
  • If an update cannot be applied immediately, deactivate or remove the plugin until a fix is released.
  • Configure a web application firewall or enforce a content security policy to block malicious scripts originating from the plugin’s input fields.

Generated by OpenCVE AI on April 29, 2026 at 13:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Schiocco
Schiocco support Board
Wordpress
Wordpress wordpress
Vendors & Products Schiocco
Schiocco support Board
Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Schiocco Support Board supportboard allows Reflected XSS.This issue affects Support Board: from n/a through < 3.8.7.
Title WordPress Support Board plugin < 3.8.7 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Schiocco Support Board
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:39:33.901Z

Reserved: 2025-09-25T15:28:27.830Z

Link: CVE-2025-60182

cve-icon Vulnrichment

Updated: 2025-12-18T19:08:31.794Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:16:09.853

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-60182

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:15:11Z

Weaknesses