Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AMP-MODE Review Disclaimer review-disclaimer allows Stored XSS.This issue affects Review Disclaimer: from n/a through <= 2.0.3.
Published: 2025-12-24
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS
Action: Apply Patch
AI Analysis

Impact

An Improper Neutralization of Input During Web Page Generation flaw exists in the AMP‑MODE: Review Disclaimer WordPress plugin, which allows stored Cross‑Site Scripting (XSS). The vulnerability permits malicious JavaScript to be embedded in content that is later rendered by the plugin, causing the script to run in the browsers of anyone who views the affected pages.

Affected Systems

The AMP‑MODE: Review Disclaimer plugin is affected for every release up to and including version 2.0.3. WordPress sites that have installed the plugin with those or earlier versions are therefore vulnerable.

Risk and Exploitability

The CVSS score of 5.9 marks this as a medium severity issue, while an EPSS score of less than 1% indicates a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Based on the description, an attacker would need to submit malicious input through the plugin’s data entry points—such as review fields or configuration panels—which is later displayed without adequate sanitization, leading to script execution in the context of site visitors. This inference is derived from the nature of stored XSS and is not explicitly stated in the CVE description.

Generated by OpenCVE AI on April 28, 2026 at 10:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Review Disclaimer plugin to a version newer than 2.0.3 that contains the XSS fix.
  • If an upgrade is not immediately available, deactivate or uninstall the plugin to eliminate the vulnerable code paths.
  • Implement a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins, which mitigates the impact of any residual XSS payloads.

Generated by OpenCVE AI on April 28, 2026 at 10:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 29 Dec 2025 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 24 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Dec 2025 13:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AMP-MODE Review Disclaimer review-disclaimer allows Stored XSS.This issue affects Review Disclaimer: from n/a through <= 2.0.3.
Title WordPress Review Disclaimer plugin <= 2.0.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:22.835Z

Reserved: 2025-12-09T16:46:50.745Z

Link: CVE-2025-67628

cve-icon Vulnrichment

Updated: 2025-12-24T18:55:39.440Z

cve-icon NVD

Status : Deferred

Published: 2025-12-24T13:16:18.943

Modified: 2026-04-27T18:16:47.177

Link: CVE-2025-67628

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:15:28Z

Weaknesses