CVE-2025-64365

Vulnerability

Overview

CVE-2025-64365 is a DOM-Based Cross-Site Scripting (XSS) vulnerability found in the Ohio Extra plugin for WordPress, affecting versions up to and including 3.6.0. The root cause is improper neutralization of user input during web page generation, allowing an attacker to inject arbitrary JavaScript into the DOM of a victim's browser [1].

Exploitation

Details

Exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page. The vulnerability can be triggered by a privileged user (e.g., an administrator) performing an action, but the injected script executes in the context of any visitor's session. No authentication is needed for the attacker to deliver the payload, but the victim must be logged in or interact with the crafted content [1].

Impact

Successful exploitation enables an attacker to execute arbitrary HTML and JavaScript in the victim's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or injection of advertisements and other payloads. The CVSS v3 base score is 6.5 (Medium, indicating a moderate severity [1].

Mitigation

The vendor has released version 3.6.1 which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, disabling the plugin or seeking assistance from a hosting provider is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].