Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shalomworld SW Plus allows Reflected XSS. This issue affects SW Plus: from n/a through 2.1.
AnalysisAI
Reflected cross-site scripting in SW Plus WordPress plugin through version 2.1 allows remote attackers to inject malicious scripts into web pages viewed by other users. Attack requires user interaction (victim must click a malicious link) but needs no authentication. EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation, consistent with typical reflected XSS patterns requiring social engineering. Patchstack database lists this as a confirmed vulnerability with dedicated entry, though no public exploit code or CISA KEV listing exists at time of analysis.
Technical ContextAI
This is a CWE-79 Cross-Site Scripting vulnerability in the SW Plus WordPress plugin (Shalom World Media Gallery), a media management plugin for WordPress. Reflected XSS occurs when user-supplied input is immediately returned in HTTP responses without proper sanitization or output encoding. The CVSS vector indicates network-based delivery (AV:N) with low attack complexity (AC:L), suggesting the vulnerable parameter is easily accessible via URL or form input. The Changed scope (S:C) indicates the malicious script executes in the victim's browser context, potentially accessing cookies, session tokens, or performing actions as the authenticated user across the WordPress site domain. WordPress plugins commonly suffer from reflected XSS when processing GET/POST parameters for search, filters, or media gallery navigation without applying wp_kses() or esc_html() sanitization functions.
Affected ProductsAI
SW Plus (also known as Shalom World Media Gallery) WordPress plugin versions up to and including 2.1 are confirmed vulnerable per Patchstack database entry. The vulnerability report indicates all versions from inception through 2.1 contain the reflected XSS flaw. No specific platform requirements beyond WordPress installation are documented. Vendor advisory and patch information available at https://patchstack.com/database/wordpress/plugin/shalom-world-media-gallery/vulnerability/wordpress-sw-plus-plugin-2-1-reflected-cross-site-scripting-xss-vulnerability.
RemediationAI
Upgrade SW Plus WordPress plugin to a version newer than 2.1 if available - consult the WordPress plugin repository or Patchstack advisory at https://patchstack.com/database/wordpress/plugin/shalom-world-media-gallery/vulnerability/wordpress-sw-plus-plugin-2-1-reflected-cross-site-scripting-xss-vulnerability for the specific patched release. If immediate upgrade is not feasible, implement compensating controls: (1) Deploy Content Security Policy headers with script-src 'self' directive to prevent execution of injected scripts (may break legitimate inline JavaScript in WordPress admin or themes - test thoroughly in staging), (2) Restrict plugin access to trusted administrator accounts only via WordPress capability management, (3) Implement Web Application Firewall rules to detect and block common XSS payloads in URL parameters associated with the media gallery plugin (may cause false positives on legitimate media filenames containing special characters), (4) Disable the SW Plus plugin entirely if media gallery functionality is not actively required. Monitor WordPress access logs for suspicious parameters containing script tags, event handlers, or encoded JavaScript in requests to plugin endpoints.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today