Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FolioVision FV Antispam fv-antispam allows Reflected XSS.This issue affects FV Antispam: from n/a through <= 2.7.
Published: 2025-12-18
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an instance of improperly neutralised user input that allows attackers to embed malicious JavaScript into the page output generated by the FolioVision FV Antispam plugin. Because the plugin fails to encode or validate the incoming data, a reflected Cross‑Site Scripting flaw exists, which can enable attackers to inject arbitrary scripts that run in the context of any browser that processes the malicious response.

Affected Systems

The FolioVision FV Antispam WordPress plugin versions up to and including 2.7 are affected. Any WordPress site that has these plugin versions installed is vulnerable, regardless of other plugins or themes.

Risk and Exploitability

The CVSS score of 7.1 classifies this issue as high severity. The EPSS score of less than 1% suggests a very low likelihood of active exploitation at this time, and it is not listed in the CISA KEV catalog. The likely attack vector, inferred from the description, is reflected XSS that requires a victim to visit a crafted URL or submit a form that includes malicious input. The flaw does not provide remote or local code execution beyond the browser context.

Generated by OpenCVE AI on April 29, 2026 at 13:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the FV Antispam plugin to the latest version (≥2.8) that fixes the XSS flaw.
  • If an immediate update is not possible, temporarily disable or uninstall the plugin to eliminate exposure.
  • Deploy a web application firewall or configure server‑side sanitisation rules to encode or strip user‑supplied input before it is returned to the browser.

Generated by OpenCVE AI on April 29, 2026 at 13:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FolioVision FV Antispam fv-antispam allows Reflected XSS.This issue affects FV Antispam: from n/a through <= 2.7.
Title WordPress FV Antispam plugin <= 2.7 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:08:02.494Z

Reserved: 2025-11-21T11:21:12.146Z

Link: CVE-2025-66102

cve-icon Vulnrichment

Updated: 2025-12-18T15:35:48.928Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:16:15.937

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-66102

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:15:11Z

Weaknesses