Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Paris Holley Asynchronous Javascript asynchronous-javascript allows Reflected XSS.This issue affects Asynchronous Javascript: from n/a through <= 1.3.5.
Published: 2026-02-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Asynchronous Javascript plugin for WordPress contains an improper neutralization of input during web page generation, identified as a Cross‑Site Scripting (XSS) flaw (CWE‑79). The plugin fails to escape or filter user‑controlled data before it is echoed back to the browser, allowing an attacker to inject and execute arbitrary JavaScript in the context of a victim’s session. This can lead to session hijacking, credential theft, or the execution of malicious payloads that compromise confidential information or alter web content.

Affected Systems

The vulnerability affects the Asynchronous Javascript plugin version 1.3.5 and all earlier releases. The plugin is developed by Paris Holley and used within WordPress installations. Any WordPress site that has not yet upgraded from version 1.3.5 is potentially exposed.

Risk and Exploitability

The risk is moderate, as the vulnerability allows an attacker to run arbitrary script in the victim’s context. The low EPSS score and absence from the KEV catalog suggest that the exploitation probability remains low, but administrators should not underestimate the impact if exposed users are present.

Generated by OpenCVE AI on April 29, 2026 at 11:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Asynchronous Javascript plugin to a version newer than 1.3.5 released by Paris Holley.
  • If a newer version is not immediately obtainable, disable the plugin on all public‑facing pages until a patch is applied.
  • Implement a strict Content Security Policy that blocks execution of inline scripts and disallows unsafe eval, mitigating the impact of any residual XSS.

Generated by OpenCVE AI on April 29, 2026 at 11:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Paris Holley
Paris Holley asynchronous Javascript
Wordpress
Wordpress wordpress
Vendors & Products Paris Holley
Paris Holley asynchronous Javascript
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Paris Holley Asynchronous Javascript asynchronous-javascript allows Reflected XSS.This issue affects Asynchronous Javascript: from n/a through <= 1.3.5.
Title WordPress Asynchronous Javascript plugin <= 1.3.5 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Paris Holley Asynchronous Javascript
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:03:26.267Z

Reserved: 2025-12-24T14:00:10.433Z

Link: CVE-2025-68846

cve-icon Vulnrichment

Updated: 2026-02-23T21:46:13.402Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:13.480

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68846

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:15:09Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')