Description
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in colabrio Norebro Extra norebro-extra allows Code Injection.This issue affects Norebro Extra: from n/a through <= 1.6.8.
Published: 2025-12-16
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of script‑related HTML tags in the Norebro Extra plugin allows an attacker to inject script code into web pages viewed by other users. The vulnerability is a basic cross‑site scripting flaw that could enable the attacker to run arbitrary JavaScript, steal session cookies, deface content, or redirect users to malicious sites. The impact is limited to the scope of the compromised web interface and affected users who view the injected content.

Affected Systems

The vulnerability affects the WordPress Norebro Extra plugin distributed by colabrio for all versions up to and including 1.6.8. Users of WordPress sites hosting this plugin are at risk if no further actions are taken.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium level of severity, while the EPSS score of less than 1% signals a very low likelihood of exploitation in the wild. The flaw is not listed in CISA’s KEV catalog. The attack vector is the web interface that accepts user‑supplied input; based on the description, it is inferred that the attacker must submit content, likely through theme options or custom widget settings, to trigger the vulnerability. Once executed, the impact is confined to victims who view the affected page.

Generated by OpenCVE AI on April 29, 2026 at 15:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Norebro Extra plugin to a version newer than 1.6.8, which contains the XSS fix.
  • Configure and enable a Web Application Firewall or a security plugin to filter and block malicious script injections in user input.
  • If the plugin is not required for site functionality, deactivate or remove it entirely to eliminate the vulnerable code path.

Generated by OpenCVE AI on April 29, 2026 at 15:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 16 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Dec 2025 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Tue, 16 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 16 Dec 2025 08:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in colabrio Norebro Extra norebro-extra allows Code Injection.This issue affects Norebro Extra: from n/a through <= 1.6.8.
Title WordPress Norebro Extra plugin <= 1.6.8 - Content Injection vulnerability
Weaknesses CWE-80
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:33:12.196Z

Reserved: 2025-11-06T13:11:11.070Z

Link: CVE-2025-64633

cve-icon Vulnrichment

Updated: 2025-12-16T17:14:15.438Z

cve-icon NVD

Status : Deferred

Published: 2025-12-16T09:15:55.600

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-64633

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:00:06Z

Weaknesses