High severity7.1NVD Advisory· Published Nov 6, 2025· Updated Apr 27, 2026

CVE-2025-53574

Description

Reflected XSS in Doliconnect WordPress plugin <=9.3.2 allows attackers to inject malicious scripts via crafted requests.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Reflected XSS in Doliconnect WordPress plugin <=9.3.2 allows attackers to inject malicious scripts via crafted requests.

Vulnerability

Overview CVE-2025-53574 is a reflected Cross-Site Scripting (XSS) vulnerability in the Doliconnect WordPress plugin, affecting all versions up to and including 9.3.2. The issue arises from improper neutralization of user-supplied input during web page generation, enabling an attacker to inject arbitrary HTML and JavaScript into a response [1].

Exploitation

Method This vulnerability requires user interaction, such as clicking a malicious link or visiting a specially crafted page. An unauthenticated attacker can craft a request that includes malicious script payloads, which are then reflected back to the victim's browser. Successful exploitation depends on the victim being a privileged user or any user who triggers the crafted request [1].

Potential

Impact If exploited, an attacker could execute arbitrary script code in the context of the victim's browser session. This could lead to redirection to malicious sites, defacement, injection of advertisements, theft of cookies or session tokens, and other malicious actions affecting website visitors [1].

Mitigation and

Patch The vendor has released version 9.4.2 which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, Patchstack offers a virtual patch to block attacks until the update is applied. This vulnerability is considered moderately dangerous and may be targeted in mass exploitation campaigns [1].

References

Cross Site Scripting (XSS) in WordPress Doliconnect Plugin

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Doliconnectinferred
Range: <=9.3.2
Package: https://wordpress.org/plugins/doliconnect

Patches

866e42cc1e85

Merge pull request #12089 from eoxia-jimmy/develop

https://github.com/dolibarr/dolibarrLaurent DestailleurNov 2, 2019via body-scan

commit PR #12089

1 file changed · +8 −2

htdocs/api/index.php+8 −2 modified

@@ -55,6 +55,12 @@
 require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
 
 
+$url = $_SERVER['PHP_SELF'];
+// Fix for some NGINX setups (this should not be required even with NGINX, however setup of NGINX are often mysterious and this may help is such cases)
+if (! empty($conf->global->MAIN_NGINX_FIX))
+{
+	$url = (isset($_SERVER['SCRIPT_URI']) && $_SERVER["SCRIPT_URI"] !== null) ? $_SERVER["SCRIPT_URI"] : $_SERVER['PHP_SELF'];
+}
 
 // Enable and test if module Api is enabled
 if (empty($conf->global->MAIN_MODULE_API))
@@ -67,7 +73,7 @@
 }
 
 // Test if explorer is not disabled
-if (preg_match('/api\/index\.php\/explorer/', $_SERVER["PHP_SELF"]) && ! empty($conf->global->API_EXPLORER_DISABLED))
+if (preg_match('/api\/index\.php\/explorer/', $url) && ! empty($conf->global->API_EXPLORER_DISABLED))
 {
     $langs->load("admin");
     dol_syslog("Call Dolibarr API interfaces with module REST disabled");
@@ -91,7 +97,7 @@
 
 
 $reg=array();
-preg_match('/index\.php\/([^\/]+)(.*)$/', $_SERVER["PHP_SELF"], $reg);
+preg_match('/index\.php\/([^\/]+)(.*)$/', $url, $reg);
 // .../index.php/categories?sortfield=t.rowid&sortorder=ASC

Vulnerability mechanics

Root cause

"Unsanitized use of `$_SERVER['PHP_SELF']` in `preg_match()` calls allows reflected cross-site scripting via URL path injection."

Attack vector

An unauthenticated attacker can craft a URL containing a malicious XSS payload in the path segment that reaches `api/index.php`. Because `$_SERVER['PHP_SELF']` is used unsanitized in `preg_match()` and the matched result may later be reflected in the page output, the attacker can inject arbitrary JavaScript. The attack requires the victim to click the crafted link (Reflected XSS) and can be delivered over the network with no special privileges [CWE-79].

Affected code

The vulnerability resides in `htdocs/api/index.php`. The file uses `$_SERVER['PHP_SELF']` directly in `preg_match()` calls (lines 70 and 100 in the original) without sanitization. `$_SERVER['PHP_SELF']` contains the script name and path, which an attacker can control by injecting a payload into the URL path.

What the fix does

The patch introduces a new `$url` variable that, when the `MAIN_NGINX_FIX` config option is enabled, uses `$_SERVER['SCRIPT_URI']` instead of `$_SERVER['PHP_SELF']`. All subsequent `preg_match()` calls are changed to operate on `$url` rather than the raw `$_SERVER['PHP_SELF']`. This closes the XSS vector by replacing the attacker-controllable `PHP_SELF` value with the more reliable `SCRIPT_URI` server variable, which is not directly influenced by URL path injection [patch_id=1718489].

Preconditions

networkThe attacker must be able to send a crafted HTTP request to the Dolibarr API endpoint.
authNo authentication is required; the vulnerability is triggerable by an unauthenticated user.
inputThe victim must click or be redirected to the attacker's crafted URL (Reflected XSS).

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

patchstack.com/database/Wordpress/Plugin/doliconnect/vulnerability/wordpress-doliconnect-plugin-9-3-2-cross-site-scripting-xss-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.461
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000