Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Organici Library noo-organici-library allows Reflected XSS.This issue affects Organici Library: from n/a through <= 2.1.2.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected XSS
Action: Immediate Patch
AI Analysis

Impact

Improper handling of user input allows malicious scripts to be injected into pages served by the WordPress Organici Library plugin. When a victim accesses a crafted URL, the unfiltered input is reflected back into the browser, enabling an attacker to run arbitrary JavaScript. This can lead to credential theft, session hijacking, and site defacement.

Affected Systems

The vulnerability affects the NooTheme Organici Library plugin for WordPress, specifically versions up to and including 2.1.2. Any WordPress site that has installed or is currently running this plugin version is potentially exposed.

Risk and Exploitability

With a CVSS score of 7.1 the risk is considered high. The exploit is straightforward: an attacker only needs to host a malicious link that the victim follows, and the vulnerability is client‑side, so no special privileges are required. Although the EPSS score is unknown and the flaw is not listed in the CISA KEV catalog, sites that have not applied the patch remain at a moderate to high risk of exploitation.

Generated by OpenCVE AI on March 25, 2026 at 22:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the NooTheme Organici Library plugin to the latest version (v2.1.3 or later)
  • If an update is not immediately available, disable or remove the plugin until a fix is released

Generated by OpenCVE AI on March 25, 2026 at 22:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Nootheme
Nootheme organici Library
Wordpress
Wordpress wordpress
Vendors & Products Nootheme
Nootheme organici Library
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Organici Library noo-organici-library allows Reflected XSS.This issue affects Organici Library: from n/a through <= 2.1.2.
Title WordPress Organici Library plugin <= 2.1.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Nootheme Organici Library
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:07.708Z

Reserved: 2026-01-28T09:50:41.579Z

Link: CVE-2026-24975

cve-icon Vulnrichment

Updated: 2026-03-25T20:17:52.932Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:39.760

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-24975

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:13:08Z

Weaknesses