CVE-2025-54670

Vulnerability

Overview CVE-2025-54670 is a reflected Cross-Site Scripting (XSS) vulnerability in the WordPress plugin oik, affecting versions from n/a through 4.15.2. The issue arises from improper neutralization of user-supplied input during web page generation, allowing an attacker to inject malicious scripts into the application's response [1].

Exploitation

Exploitation requires user interaction—a privileged user must click a crafted link or submit a malicious form. The attack can be initiated by an unauthenticated attacker, but successful script execution depends on the victim performing an action, such as visiting a specially crafted URL. This reflected XSS vector enables attackers to inject arbitrary HTML and JavaScript into the victim's browser session within the context of the affected site [1].

Impact

An attacker who successfully exploits this vulnerability can execute malicious scripts in the victim's browser, which may lead to session hijacking, defacement, redirection to malicious sites, or the injection of advertisements and other payloads. The CVSS v3.0 base score of 7.1 (High) reflects the potential for significant impact on confidentiality, integrity, and availability, although user interaction is required [1].

Mitigation

The vulnerability has been addressed in oik version 4.15.3. Users are strongly advised to update the plugin immediately. Patchstack has also issued a mitigation rule for customers unable to update immediately. Given the risk of mass exploitation in WordPress ecosystems, prompt patching is recommended [1].