CVE-2025-68840

Vulnerability

The iRobots.txt SEO plugin for WordPress versions up to 1.1.2 contains a reflected Cross-Site Scripting (XSS) vulnerability [1]. The plugin fails to properly sanitize user-supplied input in certain parameters, allowing attackers to inject arbitrary HTML and JavaScript. No authentication is required to trigger the vulnerability, but successful exploitation depends on a privileged user (e.g., administrator) performing an action such as clicking a malicious link [1].

Exploitation

An attacker can craft a URL containing a malicious payload and send it to a logged-in WordPress administrator or other privileged user. If the victim clicks the link, the injected script is reflected back and executed in their browser within the context of the vulnerable site. This attack can be performed remotely without prior authentication [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, redirection to malicious sites, injection of advertisements, or defacement of the website. The impact extends to both administrative users and site visitors, potentially compromising the security and integrity of the WordPress installation [1].

Mitigation

According to the advisory, the recommended immediate action is to update the plugin once an official patch is available. No fixed version has been disclosed in the reference [1]. Until a patch is released, Patchstack has issued a mitigation rule to block attacks. Users unable to update should consult their hosting provider or web developer for assistance [1].