Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TieLabs Jannah - Extensions jannah-extensions allows DOM-Based XSS.This issue affects Jannah - Extensions: from n/a through <= 1.1.4.
Published: 2025-10-29
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a DOM‑Based Cross‑Site Scripting flaw caused by the plugin’s failure to neutralize user input before rendering it in a web page. When triggered, an attacker can inject and execute malicious scripts in the context of a victim’s browser, leading to potential session hijacking, cookie theft, defacement, or other client‑side attacks. The weakness is classified as CWE‑79, which underscores the lack of proper input sanitization.

Affected Systems

The issue affects the Jannah – Extensions plugin developed by TieLabs, versions from the initial release up to and including 1.1.4. The plugin is used within WordPress environments, so any WordPress site deploying a vulnerable version is at risk.

Risk and Exploitability

The CVSS score of 6.5 places the vulnerability in the moderate severity range. The EPSS score of less than 1% indicates a low but non‑zero likelihood of exploitation at the time of analysis. The plugin is not listed in the CISA KEV catalog. Given that DOM‑Based XSS typically requires a victim to visit a crafted URL or interact with unsanitized input, the likely attack vector is a remote, user‑initiated attempt to exploit the plugin’s input handling.

Generated by OpenCVE AI on April 29, 2026 at 12:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s website for an updated release of Jannah – Extensions; if a newer version is available, upgrade the plugin immediately.
  • Review the plugin’s input handling and implement additional sanitization or whitelist filtering for any user‑controllable fields exposed by the plugin.
  • Configure a web application firewall or the site’s security plugin to block known XSS payload patterns targeting the affected plugin’s endpoints.

Generated by OpenCVE AI on April 29, 2026 at 12:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 30 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Tielabs
Tielabs jannah
Wordpress
Wordpress wordpress
Vendors & Products Tielabs
Tielabs jannah
Wordpress
Wordpress wordpress

Wed, 29 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Oct 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TieLabs Jannah - Extensions jannah-extensions allows DOM-Based XSS.This issue affects Jannah - Extensions: from n/a through <= 1.1.4.
Title WordPress Jannah - Extensions plugin <= 1.1.4 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Tielabs Jannah
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:24:48.816Z

Reserved: 2025-10-29T03:07:57.235Z

Link: CVE-2025-64208

cve-icon Vulnrichment

Updated: 2025-10-29T14:42:00.908Z

cve-icon NVD

Status : Deferred

Published: 2025-10-29T09:15:41.283

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-64208

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T12:45:11Z

Weaknesses