CVE-2025-27271

Vulnerability

Overview The vulnerability is a reflected Cross-Site Scripting (XSS) found in the WordPress plugin DB Tables Import/Export, affecting versions from n/a through 1.0.1. The root cause is improper neutralization of user-supplied input during web page generation, enabling an attacker to inject arbitrary HTML and JavaScript into the application's response [1].

Exploitation

Conditions Exploitation requires user interaction, such as clicking a crafted link or visiting a malicious page. Although the attack can be initiated by a privileged user, successful execution depends on a victim performing an action (e.g., clicking a link) while authenticated to the WordPress admin panel. This type of vulnerability is often used in mass-exploit campaigns targeting thousands of sites regardless of size [1].

Impact and

Mitigation A successful exploit could allow an attacker to inject malicious scripts, leading to redirects, site defacement, or theft of sensitive information. The CVSS v3 score is 7.1 (High), indicating moderate danger. As of publication, no official patch is available, but Patchstack has released a mitigation rule to block attacks until an update can be safely applied. Users are advised to update the plugin immediately or consult their hosting provider for assistance [1].