CVE-2025-23550

Vulnerability

Overview

The Product Puller plugin for WordPress, versions up to and including 1.5.1, contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw occurs when the plugin fails to sanitize or escape input before including it in output, allowing attackers to inject arbitrary HTML and JavaScript.

Exploitation

Requirements

Exploitation requires user interaction; a privileged user (such as an administrator) must click a malicious link, visit a crafted page, or submit a specially crafted form [1]. The attack can be initiated by an unauthenticated attacker, but successful execution depends on enticing a privileged user to perform the action. This makes the vulnerability moderately dangerous and suitable for mass-exploit campaigns targeting thousands of WordPress sites.

Impact

If exploited, an attacker can inject malicious scripts that execute in the context of the victim's browser. This can lead to redirection to malicious sites, display of advertisements, theft of session cookies, or other actions that compromise the integrity of the website and its visitors [1].

Mitigation

Users are strongly advised to update the Product Puller plugin to a patched version as soon as it becomes available. In the meantime, Patchstack has issued a mitigation rule that blocks attacks until an official patch can be tested and applied [1]. If immediate update is not possible, contacting a hosting provider or web developer for assistance is recommended.