CVE-2025-52727

The CSS3 Vertical Web Pricing Tables plugin for WordPress suffers from a reflected cross-site scripting (XSS) vulnerability. The root cause is the improper neutralization of user input during web page generation, specifically within the css3_vertical_web_pricing_tables plugin. This flaw affects all versions up to and including 1.9, and is classified as a reflected XSS issue [1].

Exploitation of this vulnerability requires user interaction. An attacker must trick a privileged user, such as a site administrator, into clicking a crafted link or visiting a specially prepared page. No authentication is needed to deliver the malicious payload, but the target user must perform an action like clicking a link to trigger the script [1].

An attacker who successfully exploits this flaw can inject arbitrary HTML and JavaScript code into the affected site's pages. This could be used to execute redirects, display unauthorized advertisements, steal session cookies, or perform other malicious actions when regular site visitors access the compromised page [1].

The vulnerability is considered moderate in severity (CVSS 7.1) and is expected to be targeted in mass exploitation campaigns. The vendor has released version 2.0 of the plugin, which fixes the issue. Users are strongly advised to update to version 2.0 or later. For those unable to update immediately, Patchstack offers a virtual patching rule to block exploitation attempts [1].