Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arevico WP Simple Redirect wp-simple-redirect allows Reflected XSS.This issue affects WP Simple Redirect: from n/a through <= 1.1.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability permits reflected cross‑site scripting in the Arevico WP Simple Redirect plugin. When a user follows a specially crafted URL, the plugin fails to properly neutralize input before rendering it in the web page, enabling an attacker to inject and execute arbitrary client‑side script. The impact is limited to the victim’s browser, potentially leading to session hijacking, defacement, or phishing through the compromised website.

Affected Systems

The affected product is the WordPress WP Simple Redirect plugin by Arevico, versions n/a through 1.1. All installations of these versions on WordPress sites are vulnerable.

Risk and Exploitability

With a CVSS score of 7.1 the vulnerability is considered medium‑high in severity. The EPSS score of < 1% indicates a very low likelihood of exploitation in the wild. The issue is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, via a crafted URL that an attacker can share or embed, leading the victim’s browser to execute malicious code.

Generated by OpenCVE AI on April 29, 2026 at 10:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Simple Redirect to a version newer than 1.1.
  • Ensure that any user‑supplied redirect URLs are validated or sanitized, limiting redirects to trusted domains.
  • Remove any malicious content that may have been injected while the vulnerability existed.

Generated by OpenCVE AI on April 29, 2026 at 10:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arevico WP Simple Redirect wp-simple-redirect allows Reflected XSS.This issue affects WP Simple Redirect: from n/a through <= 1.1.
Title WordPress WP Simple Redirect plugin <= 1.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:06:29.640Z

Reserved: 2025-12-24T14:00:37.597Z

Link: CVE-2025-68884

cve-icon Vulnrichment

Updated: 2026-01-27T21:26:16.540Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:12.917

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68884

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:00:10Z

Weaknesses