Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in totalbounty Widget Logic Visual widget-logic-visual allows Reflected XSS.This issue affects Widget Logic Visual: from n/a through <= 1.52.
Published: 2026-02-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A reflected cross‑site scripting vulnerability exists in totalbounty’s Widget Logic Visual plugin due to insufficient neutralization of user input during web page generation. This flaw can be leveraged to inject malicious scripts that execute in the context of a victim’s browser, potentially enabling session theft, defacement, or malicious redirects. The weakness is identified as CWE‑79.

Affected Systems

The Vulnerable product is the WordPress plugin Widget Logic Visual from the vendor totalbounty. All versions from the earliest available until and including 1.52 are affected, so any site running the plugin at or below that version is at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact for an attacker who succeeds. The EPSS score of less than 1% suggests that exploitation is currently rare, and the vulnerability is not yet listed in CISA’s KEV catalog. The most likely attack vector is a crafted HTTP request that includes malicious payloads which the plugin echoes back to the visitor. Once the payload is executed, an attacker can perform a range of client‑side attacks, but no direct server‑side compromise is indicated in the current description.

Generated by OpenCVE AI on April 29, 2026 at 11:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Widget Logic Visual plugin to any version newer than 1.52, ensuring the fix has been applied.
  • If an update cannot be applied immediately, temporarily disable or remove the affected widget from public pages until the patch is installed.
  • Apply a web application firewall or similar runtime filtering to block requests containing script tags or other potentially malicious payloads that could trigger reflected XSS.

Generated by OpenCVE AI on April 29, 2026 at 11:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Totalbounty
Totalbounty widget Logic Visual
Wordpress
Wordpress wordpress
Vendors & Products Totalbounty
Totalbounty widget Logic Visual
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in totalbounty Widget Logic Visual widget-logic-visual allows Reflected XSS.This issue affects Widget Logic Visual: from n/a through <= 1.52.
Title WordPress Widget Logic Visual plugin <= 1.52 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Totalbounty Widget Logic Visual
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:02:49.836Z

Reserved: 2025-12-24T13:59:58.566Z

Link: CVE-2025-68842

cve-icon Vulnrichment

Updated: 2026-02-23T21:46:25.253Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:12.873

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68842

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:15:09Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')