Impact
The Simple URLs WordPress plugin contains a cross‑site scripting (XSS) flaw that allows malicious scripts to be injected through unsanitised user input. This weakness, identified as CWE‑79, can lead to client‑side code execution when a visitor loads a page that includes the attacker‑controlled content, enabling phishing, cookie theft, or defacement. The impact is confined to the victim’s browser and does not provide direct remote code execution on the server.
Affected Systems
The vulnerability affects the Simple URLs plugin developed by Andrew Fiebert, specifically versions 151 and earlier. No further vendor or product details are provided beyond the plugin name and the cutoff version.
Risk and Exploitability
The CVSS score of 5.9 indicates a medium severity vulnerability, and the EPSS score is not available, which does not provide a clear estimate of exploitation likelihood. The plugin is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers likely exploit this through remote interaction with the web interface, crafting URLs or input that injects JavaScript which is then rendered by user browsers when the plugin processes the data.
OpenCVE Enrichment