Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Softwebmedia Gyan Elements gyan-elements allows Reflected XSS.This issue affects Gyan Elements: from n/a through <= 2.2.1.
AnalysisAI
A Reflected Cross-Site Scripting (XSS) vulnerability exists in Softwebmedia Gyan Elements WordPress plugin through version 2.2.1, allowing attackers to inject malicious scripts that execute in users' browsers when they visit crafted URLs. This vulnerability affects all versions up to and including 2.2.1, enabling attackers to steal session tokens, perform unauthorized actions, or harvest sensitive user data. While no CVSS score or EPSS data is currently published, the nature of reflected XSS combined with WordPress plugin distribution suggests moderate-to-high real-world exploitation potential, particularly if users remain on vulnerable versions.
Technical ContextAI
The vulnerability stems from improper neutralization of user-supplied input during web page generation, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The Gyan Elements plugin (CPE: cpe:2.3:a:softwebmedia:gyan_elements:*:*:*:*:*:*:*:*) fails to properly sanitize or validate input parameters before rendering them in HTTP responses, allowing an attacker to inject arbitrary JavaScript code into the page. This is a client-side vulnerability where the malicious payload reaches the victim's browser without server-side validation, making it a reflected XSS variant that does not persist in the database but rather travels via URL parameters or POST data.
RemediationAI
The primary remediation is to upgrade Gyan Elements to a patched version beyond 2.2.1; administrators should check the official Softwebmedia or WordPress.org plugin repository for available security updates and apply them immediately. Until patching is completed, administrators should restrict plugin functionality or disable the plugin entirely if not critical to operations. Additionally, implement Web Application Firewall (WAF) rules to detect and block reflected XSS patterns targeting the affected plugin's endpoints, enforce Content Security Policy (CSP) headers to restrict inline script execution, and educate end-users not to click on suspicious links containing unusual URL parameters. Monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/gyan-elements/) and official WordPress security sources for patch release announcements.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15551
GHSA-gr57-r782-r33x