CVE-2025-67991

Vulnerability

Overview

The WordPress plugin User Extra Fields (wp-user-extra-fields) versions up to and including 16.8 contain a reflected Cross-Site Scripting (XSS) vulnerability. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML or JavaScript into a response page [1].

Exploitation

Conditions

Exploitation requires user interaction: a privileged user (such as an administrator) must click a crafted link, visit a specially prepared page, or submit a malicious form. The attacker does not need authentication but depends on tricking an authenticated user into performing the action [1]. This makes the vulnerability suitable for mass-exploit campaigns targeting thousands of WordPress sites regardless of their size or popularity [1].

Impact

Successful exploitation enables the attacker to inject malicious scripts that execute in the context of the victim's browser. Potential outcomes include redirecting visitors to attacker-controlled sites, displaying unwanted advertisements, or delivering other HTML payloads that compromise the integrity of the website [1].

Mitigation

The vendor has released version 16.9 which resolves the vulnerability. Users are strongly advised to update immediately. If immediate updating is not possible, a mitigation rule is available from Patchstack to block attacks until the update can be applied [1].