CVE-2025-67549

Vulnerability

Overview

The oik WordPress plugin, versions through 4.15.3, contains a DOM-Based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw allows an attacker to inject arbitrary JavaScript into the DOM of a victim's browser, bypassing server-side sanitization.

Exploitation

Details

Exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a malicious link, visiting a crafted page, or submitting a specially crafted form [1]. The attacker does not need direct access to the server; instead, the attack is delivered through the victim's browser, making it a client-side issue.

Impact

Successful exploitation enables an attacker to execute malicious scripts in the context of the victim's session. This can lead to unauthorized actions such as redirecting users, theft of sensitive data, or defacement of the website [1]. The vulnerability is rated Medium (CVSS 6.5) and is known to be used in mass-exploit campaigns targeting thousands of sites.

Mitigation

The vendor has released version 4.15.4, which resolves the vulnerability. Users are strongly recommended that all users update immediately [1]. For those unable to update, consulting a hosting provider or web developer is advised. Patchstack users can enable auto-updates for vulnerable plugins.