CVE-2025-64260

Vulnerability

Overview

The ANAC XML Bandi di Gara WordPress plugin (up to version 7.7) suffers from a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This means the plugin fails to sanitize or escape certain input before including it in output, allowing an attacker to craft a malicious URL or request that, when clicked or submitted by a privileged user, injects arbitrary HTML or JavaScript into the page [1].

Exploitation

Prerequisites

Exploitation requires user interaction: a logged-in user with appropriate privileges must perform an action such as clicking a crafted link, visiting a maliciously prepared page, or submitting a specially crafted form. The vulnerability can be triggered without authentication from the attacker's side, but the victim user must have some level of access (e.g., administrator, editor) for the script to execute in the context of the WordPress admin panel or frontend, depending on the vulnerable parameter location [1].

Impact

Successful exploitation allows an attacker to inject arbitrary scripts, which can be used to perform redirections to malicious sites, display advertisements, steal session cookies, or deface the website. Since XSS can be used to perform actions on behalf of the victim user, it may lead to privilege escalation or further compromise of the WordPress site [1].

Mitigation

A patched version 7.7.1 has been released to resolve the vulnerability. Users are strongly advised to update immediately. If updating is not possible, a mitigation rule is available from Patchstack to block attacks until the plugin can be updated. Automatic updates are recommended for Patchstack users [1].