Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MatrixAddons Easy Invoice easy-invoice allows DOM-Based XSS.This issue affects Easy Invoice: from n/a through <= 2.0.9.
Published: 2025-12-18
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

This flaw is a DOM‑based Cross‑Site Scripting vulnerability that allows an attacker to inject arbitrary client‑side script into the web page rendered by the Easy Invoice plugin. Because the plugin does not properly neutralize user‑supplied data, an attacker could execute code in a victim’s browser, gaining the ability to steal session cookies, deface the site, or perform phishing attacks within the context of the affected WordPress installation. The impact is a direct compromise of confidentiality and integrity for users interacting with the plugin, but it does not affect availability at the server level.

Affected Systems

MatrixAddons Easy Invoice plugin versions up to and including 2.0.9 are affected. The vulnerability applies to all installations of this plugin for WordPress where untrusted input is reflected in the generated HTML without proper escaping.

Risk and Exploitability

The CVSS score of 7.1 classifies the vulnerability as High severity. The EPSS score of less than 1% indicates a very low exploitation probability at the current time, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, it can be triggered by crafted input in a normal web request, so defenders should consider the risk of an attacker injecting malicious JavaScript via the plugin’s input fields.

Generated by OpenCVE AI on April 28, 2026 at 10:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Easy Invoice to the latest release (v2.1.0 or later).
  • If an immediate upgrade is not possible, remove or sanitize any user‑supplied data that is rendered by the plugin, ensuring that all output is properly escaped for JavaScript/HTML contexts.
  • If the plugin remains in use, limit its access to administrators only and enforce strict input validation, or selectively disable the plugin on sites that do not require it.

Generated by OpenCVE AI on April 28, 2026 at 10:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 22 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MatrixAddons Easy Invoice easy-invoice allows DOM-Based XSS.This issue affects Easy Invoice: from n/a through <= 2.0.9.
Title WordPress Easy Invoice plugin <= 2.0.9 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:21:54.964Z

Reserved: 2025-06-19T10:04:11.672Z

Link: CVE-2025-6324

cve-icon Vulnrichment

Updated: 2025-12-18T19:01:20.136Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:16:16.817

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6324

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:15:28Z

Weaknesses