CVE-2025-47680

The xili-tidy-tags plugin for WordPress is vulnerable to reflected cross-site scripting (XSS) due to improper neutralization of user-supplied input during web page generation. This affects versions from n/a through 1.12.06. The vulnerability occurs when the plugin fails to sanitize or escape input before including it in a page output, enabling an attacker to inject arbitrary HTML or JavaScript code.

Exploitation requires user interaction, such as clicking a crafted link or visiting a specially prepared page. No authentication is required, making it accessible to any unauthenticated attacker. The attack surface is typical for reflected XSS: the malicious payload is delivered via a URL parameter and executed in the context of the victim's browser.

Successful exploitation allows an attacker to execute arbitrary scripts in the victim's browser, potentially leading to redirects, ad injection, data theft, or other malicious actions. The CVSS score of 7.1 (High) reflects the moderate impact and ease of exploitation.

The vulnerability has been patched by the vendor. Users are strongly advised to update to a safe version. For those unable to update immediately, Patchstack offers a virtual patch to block exploitation attempts [1].