Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FirePlugins FireBox firebox allows Stored XSS.This issue affects FireBox: from n/a through <= 3.1.0-free.
Published: 2025-12-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user‑supplied input in the FireBox plugin allows an attacker to store malicious scripts that are then served to every visitor of affected content.

Affected Systems

All WordPress sites that have the FirePlugins FireBox component installed at version 3.1.0‑free or earlier are affected. The bug is tied to how FireBox stores unsanitized input in the database, so any instance of the plugin sending such data to a page will be vulnerable.

Risk and Exploitability

The CVSS score of 6.5 classifies the issue as medium severity, while the EPSS score of < 1% indicates a low probability of exploitation at present. The risk is not highlighted in the CISA KEV catalog. Based on the nature of stored XSS, the likely attack vector requires an attacker to have some ability to create or edit content—such as an authenticated editor or administrator—to persist malicious payloads in the database. Once stored, any site visitor can be affected.

Generated by OpenCVE AI on April 29, 2026 at 16:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FireBox to a version newer than 3.1.0‑free.
  • If an upgrade cannot be performed immediately, disable the plugin or remove all content that may contain unsanitized inputs.
  • Add server‑side input validation and output escaping for all FireBox fields, using WordPress’s built‑in escape functions to neutralize embedded scripts.

Generated by OpenCVE AI on April 29, 2026 at 16:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FirePlugins FireBox firebox allows Stored XSS.This issue affects FireBox: from n/a through <= 3.1.0-free.
Title WordPress FireBox plugin <= 3.1.0-free - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:19:15.550Z

Reserved: 2025-12-09T12:21:17.725Z

Link: CVE-2025-67545

cve-icon Vulnrichment

Updated: 2025-12-10T21:23:53.277Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:30.210

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-67545

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:15:15Z

Weaknesses