Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RexTheme WP VR wpvr allows DOM-Based XSS.This issue affects WP VR: from n/a through <= 8.5.48.
Published: 2025-10-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input in the RexTheme WP VR WordPress plugin results in a DOM‑based Cross‑Site Scripting flaw. The vulnerability is classified as CWE‑79 and allows an attacker to inject malicious JavaScript that runs in the context of any site visitor, including administrators. Successful exploitation can lead to defacement, phishing, session hijacking, or theft of sensitive data held on the site.

Affected Systems

The flaw affects the WP VR plugin by RexTheme for WordPress versions from the earliest release through 8.5.48. The safe state is achieved by installing version 8.5.49 or later, which contains the remediation for the input sanitization issue.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, while an EPSS score of less than 1% suggests that exploitation is unlikely at present. The flaw is not listed in the CISA KEV catalog. The likely attack vector is a crafted URL or malicious content that a visitor or administrator loads within the plugin’s interface; no privileged access is required to trigger the flaw, and the impact can affect all users who view the vulnerable page.

Generated by OpenCVE AI on April 29, 2026 at 12:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP VR plugin to version 8.5.49 or later, which removes the vulnerability.
  • If an upgrade cannot be performed immediately, disable or remove the WP VR plugin to eliminate exposure while a patch is applied.
  • Implement a Content Security Policy that blocks inline scripts and restricts script sources to trusted domains to mitigate the risk of any remaining XSS vectors.

Generated by OpenCVE AI on April 29, 2026 at 12:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RexTheme WP VR wpvr allows DOM-Based XSS.This issue affects WP VR: from n/a through <= 8.5.42. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RexTheme WP VR wpvr allows DOM-Based XSS.This issue affects WP VR: from n/a through <= 8.5.48.
Title WordPress WP VR plugin <= 8.5.42 - Cross Site Scripting (XSS) vulnerability WordPress WP VR plugin <= 8.5.48 - Cross Site Scripting (XSS) vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Rextheme
Rextheme wp Vr
Wordpress
Wordpress wordpress
Vendors & Products Rextheme
Rextheme wp Vr
Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Oct 2025 02:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RexTheme WP VR wpvr allows DOM-Based XSS.This issue affects WP VR: from n/a through <= 8.5.42.
Title WordPress WP VR plugin <= 8.5.42 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Rextheme Wp Vr
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:57:15.581Z

Reserved: 2025-10-24T14:24:07.765Z

Link: CVE-2025-62885

cve-icon Vulnrichment

Updated: 2025-10-27T15:23:29.699Z

cve-icon NVD

Status : Deferred

Published: 2025-10-27T02:15:47.350

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-62885

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:00:06Z

Weaknesses