Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Soledad Data Migrator penci-data-migrator allows Reflected XSS.This issue affects Penci Soledad Data Migrator: from n/a through <= 1.3.1.
AnalysisAI
A Reflected Cross-Site Scripting (XSS) vulnerability exists in PenciDesign's Penci Soledad Data Migrator plugin through version 1.3.1, allowing attackers to inject malicious scripts that execute in users' browsers when they visit a crafted URL. The vulnerability affects all versions up to and including 1.3.1 of the WordPress plugin. An attacker can exploit this to steal session cookies, perform actions on behalf of authenticated users, or redirect users to malicious sites, with the attack requiring only that a victim click a malicious link-no special privileges or interaction with the application itself required.
Technical ContextAI
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when user-supplied input is not properly sanitized or escaped before being rendered in HTML output. The Penci Soledad Data Migrator plugin (CPE: cpe:2.3:a:pencidesign:penci_soledad_data_migrator:*:*:*:*:*:*:*:*) fails to neutralize untrusted data in HTTP request parameters, likely in plugin settings pages or data migration endpoints. The vulnerability is characterized as Reflected XSS rather than Stored XSS, meaning the payload is not persisted in the database but instead reflected directly from the request URL, making it dependent on social engineering to deliver the attack payload to victims.
RemediationAI
Immediately upgrade the Penci Soledad Data Migrator plugin to a version newer than 1.3.1 if a patch has been released by PenciDesign. Check the official PenciDesign website or WordPress plugin repository for available updates and security advisories. Until a patched version is available, disable or deactivate the plugin entirely if data migration is not actively in use. As a temporary mitigating control, restrict plugin access to trusted administrator IP addresses via Web Application Firewall rules or .htaccess restrictions, implement Content Security Policy (CSP) headers to prevent inline script execution, and educate users not to click on suspicious links containing plugin parameter values. Monitor for any exploitation attempts in web server logs by searching for URL-encoded script tags or JavaScript event handlers in request parameters.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15771
GHSA-983x-4488-q3qw