Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Astra Bulk Edit astra-bulk-edit allows DOM-Based XSS.This issue affects Astra Bulk Edit: from n/a through <= 1.2.10.
AnalysisAI
A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the Brainstorm Force Astra Bulk Edit WordPress plugin through version 1.2.10, allowing authenticated attackers to inject malicious scripts that execute in the context of other users' browsers. An attacker with low-privilege account access (e.g., contributor or editor role) can craft malicious input that, when processed by the bulk edit functionality, results in arbitrary JavaScript execution affecting site administrators and other users. The vulnerability requires user interaction (UI:R) but can affect multiple users across the site due to its stored/DOM-based nature, making it a persistent attack vector for privilege escalation or data exfiltration.
Technical ContextAI
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically manifesting as DOM-based XSS. DOM-based XSS occurs when client-side JavaScript code processes user-controlled input unsafely, using methods like innerHTML, eval(), or similar DOM manipulation without proper sanitization or encoding. In the Astra Bulk Edit plugin (CPE: cpe:2.3:a:brainstorm_force:astra_bulk_edit), the bulk edit functionality likely accepts user input through form fields or AJAX requests and reflects this data directly into the DOM without adequate output encoding or Content Security Policy (CSP) protections. The vulnerability affects the plugin's ability to safely handle form inputs during batch editing operations, a common attack surface in administrative interfaces where multiple data fields are processed simultaneously.
RemediationAI
Immediately upgrade the Astra Bulk Edit plugin to a patched version released after 1.2.10 via the WordPress admin dashboard (Plugins > Updates) or by downloading the latest version from the official WordPress plugin repository. Verify the upgrade completed successfully and review the plugin changelog to confirm XSS protections were implemented. As a temporary measure pending patch availability, site administrators should restrict bulk edit functionality to trusted administrator accounts only by using role management plugins or disabling bulk edit capabilities for lower-privilege users. Additionally, implement a Content Security Policy (CSP) header with script-src restrictions and enable WordPress security hardening plugins that provide input validation and output encoding protections. Monitor for any suspicious activity in audit logs correlating with bulk edit operations, as DOM-based XSS in administrative interfaces may indicate compromise of editor or contributor accounts.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11965