Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in expresstechsoftware MemberPress Discord Addon expresstechsoftwares-memberpress-discord-add-on allows Reflected XSS.This issue affects MemberPress Discord Addon: from n/a through <= 1.1.4.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of user‑supplied input during page generation, allowing attackers to inject arbitrary HTML or JavaScript via a crafted URL. The attack causes the injected script to execute in the victim’s browser, creating a cross‑site scripting (CWE‑79) flaw with the potential to run malicious code. The impact is confined to the victim’s session when they view the malicious content.

Affected Systems

WordPress websites that have installed the MemberPress Discord Addon plugin from ExpressTechSoftware, version 1.1.4 or older.

Risk and Exploitability

The CVSS score of 7.1 indicates a high potential impact when exploited; the EPSS score of less than 1% indicates a low likelihood of widespread exploitation at the present time. The vulnerability is user‑interaction based, requiring the victim to load a crafted page. The plugin is not listed in the CISA KEV catalog, meaning no known active exploitation has been reported. Site operators should treat the risk as moderate to high due to the high severity of the flaw.

Generated by OpenCVE AI on April 29, 2026 at 12:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the MemberPress Discord Addon plugin to any version newer than 1.1.4, ensuring all vendor‑provided patches are applied.
  • If an update is not feasible, disable or remove the plugin’s shortcode or endpoint that accepts user input, or apply a custom sanitization layer that escapes output before rendering.
  • Conduct a comprehensive site‑wide scan for injected scripts and remove any malicious code that may have been introduced through the vulnerable plugin.

Generated by OpenCVE AI on April 29, 2026 at 12:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 28 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Expresstechsoftware
Expresstechsoftware memberpress Discord Addon
Wordpress
Wordpress wordpress
Vendors & Products Expresstechsoftware
Expresstechsoftware memberpress Discord Addon
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in expresstechsoftware MemberPress Discord Addon expresstechsoftwares-memberpress-discord-add-on allows Reflected XSS.This issue affects MemberPress Discord Addon: from n/a through <= 1.1.4.
Title WordPress MemberPress Discord Addon plugin <= 1.1.4 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Expresstechsoftware Memberpress Discord Addon
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:02:23.245Z

Reserved: 2025-12-24T13:59:58.566Z

Link: CVE-2025-68838

cve-icon Vulnrichment

Updated: 2026-01-28T15:32:18.253Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:11.260

Modified: 2026-06-17T09:59:41.273

Link: CVE-2025-68838

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T12:15:09Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')