Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kapil Chugh My Post Order my-posts-order allows Reflected XSS.This issue affects My Post Order: from n/a through <= 1.2.1.1.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site scripting (CWE-79) may allow attackers to inject scripts, potentially hijacking user sessions or defacing content
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw that occurs when user‑supplied input is incorporated into web page output without proper neutralization. An attacker can embed malicious JavaScript in crafted requests that is executed in the victim’s browser when the page is rendered. This can enable session hijacking, credential theft, defacement or the execution of additional malicious payloads. The weakness is classified as CWE-79 and the affected versions are up to and including 1.2.1.1 of the WordPress My Post Order plugin.

Affected Systems

Kapil Chugh’s My Post Order WordPress plugin, versions from the earliest available up through 1.2.1.1. Site owners using any of these versions are at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium‑to‑high impact. The EPSS score is below 1%, suggesting that active exploitation is presently uncommon, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a reflected endpoint that accepts user input via query parameters or POST data; the attacker needs to entice a user to visit a crafted URL or submit malicious form data in an authenticated session. No additional system‑level prerequisites are required beyond a vulnerable plugin installation.

Generated by OpenCVE AI on April 28, 2026 at 09:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the My Post Order plugin to a version newer than 1.2.1.1 once an official patch is released.
  • If an update is unavailable, deactivate the plugin to stop the vulnerable functionality from running.
  • Deploy a web application firewall rule that blocks any script elements or attempts to inject JavaScript into responses from the My Post Order plugin.

Generated by OpenCVE AI on April 28, 2026 at 09:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kapil Chugh My Post Order my-posts-order allows Reflected XSS.This issue affects My Post Order: from n/a through <= 1.2.1.1.
Title WordPress My Post Order plugin <= 1.2.1.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:52:43.998Z

Reserved: 2025-12-15T10:00:49.129Z

Link: CVE-2025-68004

cve-icon Vulnrichment

Updated: 2026-01-29T17:14:07.796Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:06.723

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68004

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:00:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')