CVE-2025-52778

CVE-2025-52778: Reflected XSS in xili-dictionary

The WordPress xili-dictionary plugin version 2.12.5.2 and earlier suffers from a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of input during web page generation [1]. This flaw occurs in one or more parameters that are echoed back to the user without proper sanitization or output encoding.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing JavaScript payload. When a privileged user (e.g., an administrator) clicks such a link, the injected script executes in the context of the victim's browser. Successful exploitation requires user interaction, such as clicking the link or visiting a specially crafted page [1].

Impact

A successful attack allows the attacker to inject arbitrary HTML and JavaScript into the website. This can be used to create redirects, display advertisements, steal session cookies, or perform other malicious actions when visitors load the affected page [1]. The vulnerability is considered moderately dangerous and may be used in mass-exploit campaigns.

Mitigation

The vendor has not yet released an official patch, but Patchstack has issued a virtual mitigation rule to block attacks [1]. Users are strongly advised to update the plugin to a patched version as soon as it becomes available, or apply a web application firewall (WAF) rule to protect against exploitation.