Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Barn2 Plugins Document Library Lite document-library-lite allows DOM-Based XSS.This issue affects Document Library Lite: from n/a through <= 1.1.7.
Published: 2025-12-16
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: DOM‑based cross‑site scripting (XSS) that can allow attackers to execute arbitrary JavaScript in the context of affected users.
Action: Patch Now
AI Analysis

Impact

The vulnerability arises from improper neutralization of user‑supplied input during web page generation in the Barn2 Plugins Document Library Lite plugin, which leads to a DOM‑based XSS condition. An attacker can inject malicious scripts that execute in the browsers of users who view pages rendered by the plugin, potentially enabling session hijacking, defacement, or data theft. The description indicates a scripting flaw, but no explicit statement about mitigation by standard sanitization is provided. The likely attack vector is an exploitable input field or URL parameter processed by the plugin, though the exact vector is not explicitly stated.

Affected Systems

Barn2 Plugins Document Library Lite several WordPress sites that use the plugin version 1.1.7 or older. The CWE identified for this issue is CWE-79, representing a cross‑site scripting weakness.

Risk and Exploitability

The CVSS score is 5.9, indicating moderate severity. The EPSS score is below 1%, suggesting a low likelihood of exploitation at the present time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to provide crafted input to the plugin; successful exploitation would allow the attacker to inject and run arbitrary JavaScript in the victim’s browser, leading to potential credential compromise or defacement.

Generated by OpenCVE AI on April 28, 2026 at 10:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Document Library Lite plugin to a version newer than 1.1.7 once an update is available.
  • If an update cannot be applied immediately, disable or remove the plugin to prevent the vulnerability from being exploitable.
  • Implement a site‑wide Content Security Policy that restricts inline script execution to reduce the impact of any residual XSS payloads.

Generated by OpenCVE AI on April 28, 2026 at 10:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 16 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Dec 2025 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 16 Dec 2025 08:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Barn2 Plugins Document Library Lite document-library-lite allows DOM-Based XSS.This issue affects Document Library Lite: from n/a through <= 1.1.7.
Title WordPress Document Library Lite plugin <= 1.1.7 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:25.294Z

Reserved: 2025-12-15T10:00:33.670Z

Link: CVE-2025-67986

cve-icon Vulnrichment

Updated: 2025-12-16T16:12:48.971Z

cve-icon NVD

Status : Deferred

Published: 2025-12-16T09:16:00.507

Modified: 2026-06-17T09:58:22.703

Link: CVE-2025-67986

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:15:28Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')