Plausible tracking - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-107
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Plausible tracking allows Cross-Site Scripting (XSS).This issue affects Plausible tracking: from 0.0.0 before 1.0.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored cross-site scripting vulnerability in the Drupal Plausible tracking module (versions before 1.0.2) allows attackers with permission to add raw HTML to inject arbitrary scripts.
Vulnerability
Analysis
CVE-2025-10927 describes a stored cross-site scripting (XSS) vulnerability in the Drupal Plausible tracking module. The flaw arises from improper neutralization of user input during web page generation, specifically because the module does not sanitize output in certain scenarios when rendering data from the Plausible Analytics integration [2].
Exploitation
Prerequisites
An attacker must have the ability to add raw HTML to the Drupal website, such as through an unfiltered WYSIWYG field on a public-facing comment form. This privilege requirement mitigates the severity, as not all users can inject content [2]. The exploitation is network-based and requires no authentication beyond the necessary permissions.
Impact
If successful, the attacker can execute arbitrary JavaScript in the context of a victim's browser session. This can lead to data theft, session hijacking, defacement, or redirection to malicious sites. The CVSS v4.0 vector is not yet provided by NIST [1], but the Drupal security advisory rates this as "Moderately critical" [2].
Mitigation
The vulnerability is fixed in version 1.0.2 of the Plausible tracking module. Users are strongly advised to update immediately. There is no evidence this issue is exploited in the wild, and no workaround is documented apart from applying the patch [1][2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/plausible_trackingPackagist | < 1.0.2 | 1.0.2 |
Affected products
2- Range: <1.0.2
- Drupal/Plausible trackingv5Range: 0.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-pr6m-qwrr-mrw9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-10927ghsaADVISORY
- www.drupal.org/sa-contrib-2025-107ghsaWEB
News mentions
0No linked articles in our index yet.