CVE-2025-68031

Vulnerability

Overview The vulnerability is a reflected Cross-Site Scripting (XSS) in the WordPress plugin 'افزونه پیامک حرفه ای فراز اس ام اس' (farazsms) versions up to and including 2.7.3. The plugin fails to properly neutralize user input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript code into a response [1].

Exploitation

Details Exploitation requires user interaction, such as a privileged user clicking a malicious link or visiting a crafted page. The attacker does not need authentication but must trick a user with sufficient privileges (e.g., admin) into performing an action. This makes the vulnerability suitable for mass-exploit campaigns targeting thousands of WordPress sites [1].

Impact

Successful exploitation enables the attacker to execute malicious scripts in the context of the victim's browser. This can lead to redirects, injection of advertisements, theft of session cookies, or other actions that compromise the site's integrity and user trust [1].

Mitigation

Users are advised to update the plugin to a patched version as soon as possible. Until an official patch is available, Patchstack provides a mitigation rule that blocks attacks. Given the vulnerability's expected exploitation, immediate action is recommended [1].