Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WHMCSdes Phox Hosting phox-host allows Reflected XSS.This issue affects Phox Hosting: from n/a through <= 2.0.8.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Client‑side Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The Phox Hosting plugin for WordPress contains an improper neutralization of user input during web page generation, allowing a reflected cross‑site scripting flaw. A crafted request parameter is reflected back to the browser without sanitization, enabling an attacker to inject arbitrary client‑side scripts that execute in the context of the victim’s session. This can lead to theft of session cookies, credential bypass, phishing, or defacement of page content.

Affected Systems

All installations of the Phox Hosting plugin up to and including version 2.0.8 are affected. Any WordPress site that has this plugin installed in those versions is vulnerable. Users visiting URLs that include the vulnerable parameters can be impacted.

Risk and Exploitability

The vulnerability has a CVSS score of 7.1, indicating a high level of risk. The likely attack vector is remote through a crafted URL that requires no special privileges; any user who loads the vulnerable page could be exploited. EPSS data is not available, and the issue is not listed in CISA’s Known Exploited Vulnerabilities catalog, but the combination of moderate‑high severity and a common XSS attack vector suggests that exploitation is plausible in the wild.

Generated by OpenCVE AI on March 25, 2026 at 23:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Phox Hosting plugin to a version newer than 2.0.8 immediately.
  • Verify that the upgrade removes the reflected XSS vector by testing with a benign payload.
  • If an upgrade cannot be applied right away, restrict user input to believed safe characters or implement input validation on the vulnerable endpoints.
  • Check the vendor’s website or community forums for additional advisories and apply any available patches promptly.

Generated by OpenCVE AI on March 25, 2026 at 23:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Whmcsdes
Whmcsdes phox Hosting
Wordpress
Wordpress wordpress
Vendors & Products Whmcsdes
Whmcsdes phox Hosting
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WHMCSdes Phox Hosting phox-host allows Reflected XSS.This issue affects Phox Hosting: from n/a through <= 2.0.8.
Title WordPress Phox Hosting plugin <= 2.0.8 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Whmcsdes Phox Hosting
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-24T15:35:39.899Z

Reserved: 2026-01-28T09:51:50.023Z

Link: CVE-2026-25013

cve-icon Vulnrichment

Updated: 2026-03-25T20:17:40.265Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:41.880

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-25013

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:13:03Z

Weaknesses