Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in stmcan NaturaLife Extensions naturalife-extensions allows Reflected XSS.This issue affects NaturaLife Extensions: from n/a through <= 2.1.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation that allows reflected cross‑site scripting. A malicious user can embed scripts into requests that are included in the browser’s response, facilitating the execution of arbitrary code in the victim’s browser and potentially leading to session hijacking or unauthorized data disclosure. The weakness is categorized as CWE‑79, a reflected XSS flaw.

Affected Systems

All installations of the WordPress NaturaLife Extensions plugin that are version 2.1 or older are affected, including all earlier versions where the version could not be verified. The plugin is developed by stmcan.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, while the EPSS score is unavailable and the vulnerability is not listed in the CISA keV catalog, suggesting no confirmed exploit activity yet. The attack vector is most likely via a crafted URL or form input that is echoed back in the page. An attacker can exploit it remotely by luring a user to a malicious link or by manipulating parameters in a legitimate request.

Generated by OpenCVE AI on March 25, 2026 at 23:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the NaturaLife Extensions plugin to version 2.2 or later
  • If an update cannot be applied immediately, deactivate or remove the plugin from the WordPress installation
  • Install a web application firewall or input validation filter to block reflected XSS patterns
  • Monitor site logs for unexpected script execution or unusual authentication activity

Generated by OpenCVE AI on March 25, 2026 at 23:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Stmcan
Stmcan naturalife Extensions
Wordpress
Wordpress wordpress
Vendors & Products Stmcan
Stmcan naturalife Extensions
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in stmcan NaturaLife Extensions naturalife-extensions allows Reflected XSS.This issue affects NaturaLife Extensions: from n/a through <= 2.1.
Title WordPress NaturaLife Extensions plugin <= 2.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Stmcan Naturalife Extensions
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-24T15:35:39.694Z

Reserved: 2026-01-28T09:51:55.182Z

Link: CVE-2026-25018

cve-icon Vulnrichment

Updated: 2026-03-25T20:17:37.210Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:42.167

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-25018

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:13:02Z

Weaknesses