Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aThemeArt Translations eDS Responsive Menu eds-responsive-menu allows Reflected XSS.This issue affects eDS Responsive Menu: from n/a through <= 1.2.
Published: 2026-02-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input during page generation in the aThemeArt Translations eDS Responsive Menu plugin allows a reflected cross-site scripting attack. This flaw originates from insufficient escaping when user-supplied data is echoed to the page, enabling an attacker to inject and execute arbitrary JavaScript code within the victim’s browser. Although the exploitation requires the victim to visit a crafted URL or submit a manipulated form, the impact would include theft of credentials, session hijacking, or the delivery of malicious payloads, compromising the confidentiality and integrity of the user session.

Affected Systems

WordPress sites that have installed the eDS Responsive Menu plugin version 1.2 or earlier are affected. This applies to all installations of the aThemeArt Translations product that have not yet upgraded beyond version 1.2.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high risk. The EPSS score of less than 1% suggests a very low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The attack vector for this reflected XSS is inferred to be remote, requiring an attacker to supply a specially crafted input that the plugin fails to sanitize before rendering it to the user’s browser.

Generated by OpenCVE AI on April 29, 2026 at 10:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the eDS Responsive Menu plugin to a version newer than 1.2 to address the XSS flaw.
  • If no patched version is available, permanently delete or disable the plugin to remove the vulnerable code path.
  • Implement a web‑application firewall rule or a Content Security Policy that blocks executed scripts from untrusted sources until the plugin is patched.

Generated by OpenCVE AI on April 29, 2026 at 10:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Athemeart Translations
Athemeart Translations eds Responsive Menu
Wordpress
Wordpress wordpress
Vendors & Products Athemeart Translations
Athemeart Translations eds Responsive Menu
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aThemeArt Translations eDS Responsive Menu eds-responsive-menu allows Reflected XSS.This issue affects eDS Responsive Menu: from n/a through <= 1.2.
Title WordPress eDS Responsive Menu plugin <= 1.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Athemeart Translations Eds Responsive Menu
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:03:16.966Z

Reserved: 2025-12-24T14:00:10.433Z

Link: CVE-2025-68845

cve-icon Vulnrichment

Updated: 2026-02-23T21:46:16.309Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:13.273

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68845

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:45:09Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')