Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Amauri WPMobile.App wpappninja.This issue affects WPMobile.App: from n/a through <= 11.71.
Published: 2025-11-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress WPMobile.App (wpappninja) contains an improper neutralization of input during web page generation that allows an attacker to inject malicious scripts into the page output. This improper handling corresponds to a classic XSS weakness (CWE‑79) and could enable arbitrary script execution in a victim’s browser when the affected plugin processes influenced input. The impact is confined to the browser context of visitors to the site; an attacker could use the injected script to alter the displayed content or perform client‑side actions.

Affected Systems

The vulnerability affects all WordPress sites running the WPMobile.App plugin version 11.71 or earlier. The vendor is Amauri, and the issue is present in every release from the first documented version through 11.71.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity level. The EPSS value of < 1 % suggests that exploitation is currently uncommon but possible. The vulnerability is not listed in CISA’s KEV catalog. Because the flaw is remote‑based and depends on an attacker supplying crafted input to the plugin’s endpoints, it can be triggered from an external host with knowledge of the plugin’s interface.

Generated by OpenCVE AI on April 29, 2026 at 20:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WPMobile.App plugin to any version newer than 11.71 where the XSS issue is resolved.
  • If the plugin cannot be updated immediately, disable or remove it from the WordPress installation to eliminate the attack surface.
  • Consider deploying a web application firewall rule to block or sanitize requests that target the plugin’s input processing endpoints.

Generated by OpenCVE AI on April 29, 2026 at 20:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 06 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Amauri
Amauri wpmobile.app
Wordpress
Wordpress wordpress
Vendors & Products Amauri
Amauri wpmobile.app
Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Amauri WPMobile.App wpappninja.This issue affects WPMobile.App: from n/a through <= 11.71.
Title WordPress WPMobile.App plugin <= 11.71 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Amauri Wpmobile.app
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:53:19.307Z

Reserved: 2025-10-07T15:34:44.825Z

Link: CVE-2025-62074

cve-icon Vulnrichment

Updated: 2025-11-06T16:50:24.650Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T16:16:12.910

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-62074

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T20:15:19Z

Weaknesses