Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ReyCommerce Rey Core rey-core allows Stored XSS.This issue affects Rey Core: from n/a through <= 3.1.8.
Published: 2025-10-29
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw that allows an attacker to inject malicious scripts into content managed by the Rey Core plugin. When such content is rendered on a page, the payload runs in the context of the site, potentially enabling defacement, session hijacking, or the delivery of further malware. The flaw is classified as CWE‑79 and can affect the confidentiality, integrity, and availability of the affected website.

Affected Systems

Affected systems include WordPress sites that have the ReyCore plugin (ReyCommerce Rey Core) installed with a version of 3.1.8 or earlier. The plugin is responsible for rendering user‑generated content, so the impact is limited to sites running the vulnerable version of this plugin.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate level of severity. The EPSS score of less than 1% suggests exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. However, because the flaw allows arbitrary script execution on stored content, an attacker with the ability to submit or edit content can exploit it remotely through the plugin’s input fields. The attack requires access to the plugin’s content entry interface but does not need privileged credentials if the site permits content authors to edit pages.

Generated by OpenCVE AI on April 29, 2026 at 12:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rey Core to the latest version that resolves the stored XSS flaw (any release newer than 3.1.8).
  • Restrict the ability to edit plugin content to trusted administrators only, removing permission for untrusted users to submit content that can be rendered with user input.
  • If an upgrade is delayed, sanitize or escape any user‑supplied input that the plugin outputs, immediately removing <script> tags or other executable content from stored fields.

Generated by OpenCVE AI on April 29, 2026 at 12:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 30 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 29 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Oct 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ReyCommerce Rey Core rey-core allows Stored XSS.This issue affects Rey Core: from n/a through <= 3.1.8.
Title WordPress Rey Core plugin <= 3.1.8 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:25:56.042Z

Reserved: 2025-10-29T03:08:02.189Z

Link: CVE-2025-64220

cve-icon Vulnrichment

Updated: 2025-10-29T14:48:03.259Z

cve-icon NVD

Status : Deferred

Published: 2025-10-29T09:15:43.393

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-64220

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T12:45:11Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')