Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Whizz Plugins whizz-plugins allows Reflected XSS.This issue affects Whizz Plugins: from n/a through <= 1.9.
Published: 2026-02-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw that allows user input to be improperly neutralized in the WordPress Whizz Plugins plugin. By manipulating query parameters or form fields, an attacker can inject malicious JavaScript that is reflected back into the page when a victim visits the crafted URL or submits the input. This can result in the execution of arbitrary script in the victim’s browser and unintended page content.

Affected Systems

The flaw affects the Fox‑Themes Whizz Plugins package for WordPress, version 1.9 and all earlier releases. Any WordPress installation that has the plugin installed with a version ≤ 1.9 is potentially vulnerable. No other products or versions are listed as affected.

Risk and Exploitability

The CVSS v3 score of 7.1 signifies a high severity for this reflected XSS vulnerability. The EPSS score of less than 1% indicates that exploitation attempts are currently rare, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves the attacker crafting a malicious URL or input that is processed by the plugin and reflected back into the browser of a user who visits the site. If the victim clicks the link or submits the input, the injected script runs in the browser context with the privileges of the visitor, potentially affecting the displayed content.

Generated by OpenCVE AI on April 16, 2026 at 16:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Whizz Plugins plugin to any release newer than version 1.9, which incorporates the proper input sanitization fix.
  • If an immediate upgrade is not possible, remove the plugin from the WordPress installation or disable any features that reflect user-supplied data.
  • Deploy a web application firewall (WAF) rule set that detects and blocks suspicious script payloads in query strings and POST data, and verify that the WordPress core and other plugins remain current with their latest secure releases.

Generated by OpenCVE AI on April 16, 2026 at 16:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Fox-themes
Fox-themes whizz Plugins
Wordpress
Wordpress wordpress
Vendors & Products Fox-themes
Fox-themes whizz Plugins
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Whizz Plugins whizz-plugins allows Reflected XSS.This issue affects Whizz Plugins: from n/a through <= 1.9.
Title WordPress Whizz Plugins plugin <= 1.9 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Fox-themes Whizz Plugins
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:51.787Z

Reserved: 2026-01-28T09:50:29.518Z

Link: CVE-2026-24955

cve-icon Vulnrichment

Updated: 2026-02-20T18:22:43.167Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:39.683

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24955

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:45:25Z

Weaknesses