Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in peterwsterling Simple Archive Generator simple-archive-generator allows Reflected XSS.This issue affects Simple Archive Generator: from n/a through <= 5.2.
Published: 2026-02-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Simple Archive Generator plugin contains an improper neutralization of input during web page generation that allows an attacker to inject malicious JavaScript into responses. If executed, the injected script runs in the browser of any user who views the affected page, potentially enabling cookie theft, session hijacking, or malicious redirects. The weakness is classified as CWE‑79 and carries a CVSS score of 7.1, which indicates a high severity for impact on confidentiality and integrity of user sessions.

Affected Systems

This vulnerability affects the WordPress plugin Simple Archive Generator from peterwsterling, with all versions up to and including 5.2. Users who have not upgraded beyond version 5.2 remain vulnerable.

Risk and Exploitability

The EPSS score of less than 1% suggests that exploitation attempts are currently rare, and the flaw is not listed in the CISA KEV catalogue. The likely attack vector involves an attacker crafting a URL or form input that is reflected unescaped in the page output; any visitor who follows that link would be exposed. While the exploitation path is straightforward, the need for a user to request the vulnerable page and the low EPSS score combine to give a moderate overall risk, but the potential impact warrants urgent remediation.

Generated by OpenCVE AI on April 29, 2026 at 10:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Simple Archive Generator plugin to the latest available version (greater than 5.2).
  • If an immediate update is not possible, deactivate or uninstall the plugin to eliminate the reflected XSS vector.
  • Review the WordPress site for other input handling flaws and ensure that future plugin updates include proper data sanitization.

Generated by OpenCVE AI on April 29, 2026 at 10:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Peter Sterling
Peter Sterling simple Archive Generator
Wordpress
Wordpress wordpress
Vendors & Products Peter Sterling
Peter Sterling simple Archive Generator
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in peterwsterling Simple Archive Generator simple-archive-generator allows Reflected XSS.This issue affects Simple Archive Generator: from n/a through <= 5.2.
Title WordPress Simple Archive Generator plugin <= 5.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Peter Sterling Simple Archive Generator
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:06:01.640Z

Reserved: 2025-12-24T14:00:32.364Z

Link: CVE-2025-68880

cve-icon Vulnrichment

Updated: 2026-02-23T21:45:55.428Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:15.013

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68880

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:45:09Z

Weaknesses