CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionNVD
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Kevon Adonis WP Abstracts plugin <= 2.6.2 versions.
AnalysisAI
The WP Abstracts plugin for WordPress (versions <= 2.6.2) contains an unauthenticated reflected Cross-Site Scripting (XSS) vulnerability that allows remote attackers to execute malicious JavaScript in users' browsers. With an EPSS score of 0.10% (28th percentile), this vulnerability has relatively low exploitation activity in the wild and is not currently listed in CISA's KEV catalog.
Technical ContextAI
The vulnerability affects the WP Abstracts Manuscripts Manager plugin (CPE: cpe:2.3:a:kevonadonis:wp_abstracts:*:*:*:*:free:wordpress:*:*) developed by Kevon Adonis. As a CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability, the plugin fails to properly sanitize user-supplied input before reflecting it back in the HTML response. This allows attackers to inject malicious scripts that execute in the context of the victim's browser session when they visit a specially crafted URL.
RemediationAI
Update the WP Abstracts plugin to version 2.6.3 or later, which presumably contains the fix for this vulnerability. If immediate patching is not possible, consider temporarily disabling the plugin or implementing Web Application Firewall (WAF) rules to filter XSS payloads. The Patchstack database links provided in the references should contain additional details about the patch, though specific patch information is not explicitly mentioned in the available data.
Share
External POC / Exploit Code
Leaving vuln.today