Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UpSolution UpSolution Core us-core allows Reflected XSS.This issue affects UpSolution Core: from n/a through <= 8.41.
AnalysisAI
A Reflected Cross-Site Scripting (XSS) vulnerability exists in UpSolution Core plugin versions through 8.41, allowing attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects the UpSolution Core WordPress plugin (CPE: cpe:2.3:a:upsolution:upsolution_core), enabling attackers to steal session tokens, perform actions on behalf of users, or redirect users to malicious sites through crafted URLs. No CVSS score, EPSS probability, or KEV status is currently available, though Patchstack has confirmed and documented this as a reflected XSS vulnerability.
Technical ContextAI
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic input validation and output encoding failure. The UpSolution Core plugin (identified via CPE cpe:2.3:a:upsolution:upsolution_core:*:*:*:*:*:*:*:*) fails to properly sanitize user-supplied input before reflecting it back in HTML responses. Reflected XSS occurs when an attacker crafts a malicious URL containing unencoded JavaScript payload that the application echoes directly into the page source without proper HTML entity encoding, allowing the browser to execute the script in the victim's security context. This is a server-side input handling vulnerability affecting the WordPress plugin infrastructure.
RemediationAI
Update UpSolution Core to a version greater than 8.41 as soon as a patched release becomes available; consult the vendor advisory and Patchstack database for patch availability and release notes. In the interim, implement output encoding on all user-supplied input reflected in HTML responses using WordPress escaping functions (e.g., esc_html(), esc_url(), wp_kses_post()) and apply Content Security Policy (CSP) headers with strict-dynamic to mitigate XSS payload execution. Additionally, restrict plugin functionality to trusted administrators and users, disable plugin auto-updates if it may introduce instability, and monitor server logs and user activity for signs of exploitation. Organizations should reference the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/us-core/vulnerability/wordpress-upsolution-core-plugin-8-41-reflected-cross-site-scripting-xss-vulnerability for official guidance from the security research community.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15604
GHSA-jjpq-g8xj-hcf8