CVE-2025-68037

Vulnerability

Overview

The Export Media URLs plugin for WordPress versions 2.2 and earlier contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation of web pages [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript into a page response, which is then executed in the context of the victim's browser session.

Exploitation

Details

Exploitation requires user interaction, such as clicking a crafted link or visiting a specially prepared page [1]. The attack can be initiated by a user with low privileges, but successful execution depends on a privileged user performing the action. This makes the vulnerability suitable for mass-exploit campaigns targeting thousands of websites at a time, regardless of site traffic or popularity [1].

Impact

A successful attack could allow an attacker to inject malicious scripts, including redirects, advertisements, or other HTML payloads, which execute when visitors access the site [1]. This can lead to defacement, phishing, or further compromise of user sessions.

Mitigation

The vendor has released version 2.3 which resolves the vulnerability. Users are advised to update immediately or enable auto-updates for vulnerable plugins [1].