CVE-2025-54722

Vulnerability

Overview

CVE-2025-54722 describes a reflected Cross-Site Scripting (XSS) vulnerability in the WooTour plugin for WordPress, affecting all versions up to and including 3.6.3. The root cause is improper neutralization of user-supplied input during web page generation [1]. This allows an attacker to inject arbitrary HTML and JavaScript into a page, which then executes in the browser of a victim who accesses a crafted link or page.

Exploitation

Requirements

To exploit this flaw, an attacker must convince a privileged user (such as an administrator) to interact with a malicious link, visit a specially crafted page, or submit a form. The vulnerability is classified as reflected XSS, meaning the payload is delivered via a request and reflected back in the immediate response, requiring that the victim take an action to trigger the execution [1].

Impact

Successful exploitation enables the attacker to inject malicious scripts — including redirects, ads, or other HTML payloads — into the website. These scripts execute when other users (including guests) visit the affected site, potentially leading to session hijacking, defacement, or phishing attacks [1]. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns.

Mitigation

The vendor has released version 3.6.4, which patches the vulnerability. Users are strongly advised to update immediately. Those unable to update should contact their hosting provider or web developer for assistance. Patchstack also offers a mitigation rule to block attacks until the update is applied [1].