CVE-2025-66118

Vulnerability

Overview CVE-2025-66118 is a reflected Cross-Site Scripting (XSS) vulnerability in the BoldGrid Sprout Clients plugin for WordPress, affecting versions from n/a through 3.2.1. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML or JavaScript into a response [1].

Exploitation

Prerequisites Exploitation requires user interaction, such as clicking a crafted link or visiting a specially prepared page. The vulnerability can be initiated by a user with certain privileges, but successful execution depends on a privileged user performing an action like clicking a malicious link [1]. This makes it suitable for mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].

Impact

If exploited, an attacker can inject malicious scripts (e.g., redirects, advertisements, or other HTML payloads) that execute when visitors access the affected site. This could lead to defacement, phishing, or further compromise of user sessions [1].

Mitigation

The vulnerability is fixed in version 3.2.2 of the Sprout Clients plugin. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks until the patch is applied [1].