Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Soledad Data Migrator penci-data-migrator allows Reflected XSS.This issue affects Penci Soledad Data Migrator: from n/a through <= 1.3.1.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (client‑side script execution)
Action: Patch
AI Analysis

Impact

The vulnerability is an improper neutralization of user input in the PenciDesign Penci Soledad Data Migrator WordPress plugin, leading to reflected Cross‑Site Scripting. When a request contains certain parameters, the plugin outputs the data directly to the web page without encoding, allowing an attacker to inject and execute arbitrary JavaScript in the context of any user who visits the crafted URL.

Affected Systems

This flaw impacts the WordPress plugin Penci Soledad Data Migrator developed by PenciDesign. All releases from the earliest available version up to and including 1.3.1 are affected. Site owners running any of these versions should verify the installed version and consider remediation.

Risk and Exploitability

The CVSS base score of 7.1 signifies moderate to high severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a reflected XSS payload embedded in a crafted link that the user must visit; this inference is drawn from the described behavior that the plugin echoes untrusted input to the page.

Generated by OpenCVE AI on March 25, 2026 at 23:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the installed version of the Penci Soledad Data Migrator plugin on your WordPress site and confirm if it is version 1.3.1 or older.
  • If a newer version is available, upgrade the plugin immediately to a version that contains the XSS fix.
  • If the plugin is no longer maintained or no update is available, uninstall or deactivate the plugin to eliminate the risk.
  • After updating or removing the plugin, test your site by loading it with a query parameter that includes special characters to confirm that no reflected input appears.
  • Maintain a routine update schedule for WordPress plugins and monitor security advisories for future notices.

Generated by OpenCVE AI on March 25, 2026 at 23:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Pencidesign
Pencidesign penci Soledad Data Migrator
Wordpress
Wordpress wordpress
Vendors & Products Pencidesign
Pencidesign penci Soledad Data Migrator
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Soledad Data Migrator penci-data-migrator allows Reflected XSS.This issue affects Penci Soledad Data Migrator: from n/a through <= 1.3.1.
Title WordPress Penci Soledad Data Migrator plugin <= 1.3.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Pencidesign Penci Soledad Data Migrator
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:10.430Z

Reserved: 2026-02-17T13:23:30.505Z

Link: CVE-2026-27054

cve-icon Vulnrichment

Updated: 2026-03-25T20:04:32.723Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:54.523

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-27054

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:36Z

Weaknesses