Nextmove
Monthly
Stored cross-site scripting (XSS) in XLPlugins NextMove Lite WordPress plugin versions through 2.23.0 allows authenticated users with low privileges to inject malicious scripts into thank-you pages, affecting site visitors with escalated impact in multi-site contexts. The vulnerability requires user interaction (page visit) and leverages the plugin's improper input sanitization on web page generation. EPSS exploitation probability is low (0.02%), and no confirmed active exploitation has been reported; however, the stored nature and authenticated attack vector make it a meaningful risk for WordPress sites with untrusted user roles.
Reflected cross-site scripting (XSS) in XLPlugins NextMove Lite WordPress plugin versions up to 2.24.0 allows authenticated attackers to inject malicious scripts via unvalidated input during web page generation. An attacker with user credentials can craft a malicious link that, when clicked by another user, executes arbitrary JavaScript in their browser context. The vulnerability carries a moderate CVSS score of 6.5 but exhibits very low real-world exploitation probability (EPSS 0.03%, 8th percentile), indicating it has not been actively exploited in practice despite the presence of public vulnerability disclosure.
The NextMove Lite - Thank You Page for WooCommerce plugin for WordPress is vulnerable to unauthorized submission of data due to a missing capability check on the _submit_uninstall_reason_action(). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Stored cross-site scripting (XSS) in XLPlugins NextMove Lite WordPress plugin versions through 2.23.0 allows authenticated users with low privileges to inject malicious scripts into thank-you pages, affecting site visitors with escalated impact in multi-site contexts. The vulnerability requires user interaction (page visit) and leverages the plugin's improper input sanitization on web page generation. EPSS exploitation probability is low (0.02%), and no confirmed active exploitation has been reported; however, the stored nature and authenticated attack vector make it a meaningful risk for WordPress sites with untrusted user roles.
Reflected cross-site scripting (XSS) in XLPlugins NextMove Lite WordPress plugin versions up to 2.24.0 allows authenticated attackers to inject malicious scripts via unvalidated input during web page generation. An attacker with user credentials can craft a malicious link that, when clicked by another user, executes arbitrary JavaScript in their browser context. The vulnerability carries a moderate CVSS score of 6.5 but exhibits very low real-world exploitation probability (EPSS 0.03%, 8th percentile), indicating it has not been actively exploited in practice despite the presence of public vulnerability disclosure.
The NextMove Lite - Thank You Page for WooCommerce plugin for WordPress is vulnerable to unauthorized submission of data due to a missing capability check on the _submit_uninstall_reason_action(). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.