CVE-2025-67918

Vulnerability

Overview

CVE-2025-67918 is a reflected Cross-Site Scripting (XSS) vulnerability in the Woffice theme for WordPress, affecting versions from n/a through 5.4.30. The issue stems from improper neutralization of user input during web page generation, allowing an attacker to inject arbitrary HTML or JavaScript into a response. [1]

Exploitation

Details

Exploitation requires user interaction, such as clicking a crafted link or visiting a specially prepared page. The attacker does not need authentication to initiate the attack, but the victim must be a privileged user (e.g., an administrator) for the payload to execute. This makes the vulnerability suitable for mass-exploit campaigns targeting, as it can be triggered without prior access to the site. [1]

Impact

Successful exploitation enables an attacker to execute malicious scripts in the context of the victim's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or injection of advertisements and other HTML payloads. The CVSS v3 score is 7.1 (High), reflecting the potential for significant harm with relatively low complexity. [1]

Mitigation

The vendor has released version 5.4.31, which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks until the patch is applied. [1]