CVE-2025-67986

CVE-2025-67986 is a DOM-based Cross-site Scripting (XSS) vulnerability in the Barn2 Plugins Document Library Lite plugin for WordPress, affecting versions up to and including 1.1.7. The plugin fails to properly neutralize input during web page generation, allowing an attacker to inject malicious scripts into the DOM [1].

Exploitation requires user interaction, typically a privileged user such as an administrator clicking a crafted link or visiting a specially prepared page [1]. This interaction triggers the injected script to execute in the context of the victim's browser.

Successful exploitation could allow an attacker to inject arbitrary scripts, resulting in actions like redirecting visitors to malicious sites, displaying advertisements, or stealing sensitive data. Such vulnerabilities are often targeted in mass-exploit campaigns [1].

The issue is resolved in version 1.2.0 of the plugin. Users are strongly advised to update immediately. For Patchstack users, enabling auto-updates for vulnerable plugins is recommended [1].