CVE-2025-67552

Vulnerability

Overview

The Walker Core WordPress plugin (versions up to and including 1.3.17) contains a DOM-based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw enables an attacker to inject arbitrary JavaScript or HTML payloads into the page's DOM, which then execute in the context of the victim's browser.

Exploitation

Details

Exploitation requires user interaction — a privileged user must perform an action such as clicking a crafted link or visiting a specially prepared page [1]. The vulnerability is classified as DOM-based, meaning the payload is processed client-side without server-side sanitization. Attackers can leverage this in mass-exploit campaigns targeting thousands of WordPress sites simultaneously [1].

Impact

Impact

Impact

Successful exploitation allows an attacker to execute malicious scripts in the browser of any visitor to the affected site. This can be used to perform redirects, display unauthorized advertisements, steal session tokens, or deliver other HTML payloads [1]. The CVSS v3 base score is 6.5 (Medium), reflecting the need for user interaction but the potential for significant client-side harm.

Mitigation

The vulnerability is patched in version 1.3.18 of the Walker Core plugin. Users are strongly advised to update immediately. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates enable auto-updates for vulnerable plugins [1].