CVE-2025-63057

The WP Ultimate Review plugin for WordPress is vulnerable to a DOM-based Cross-Site Scripting (XSS) vulnerability in versions up to and including 2.3.7. This flaw arises from improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary JavaScript into the DOM of a victim's browser [1].

Exploitation requires a privileged user (such as an administrator) to perform an action, such as clicking a malicious link, visiting a crafted page, or submitting a specially crafted form. The attack surface is the plugin's review functionality, where unsanitized input can be stored and later executed in the context of the victim's session [1].

Successful exploitation enables an attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads, which are executed when other users visit the affected site. This can lead to session hijacking, defacement, or further compromise of the WordPress installation [1].

The vulnerability has been addressed in version 2.3.8 of the plugin. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins to ensure protection [1].