CVE-2025-68854

Vulnerability

Overview

The ID Arrays WordPress plugin (versions up to and including 2.1.2) contains a DOM-Based Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-68854. The root cause is improper neutralization of user-supplied input during web page generation, enabling script injection in the client-side Document Object Model (DOM) [1].

Exploitation & Attack Surface

Exploitation requires user interaction – a privileged user (e.g., administrator) must perform an action such as clicking a crafted link, visiting a specially prepared page, or submitting a form. The attack surface is web-based and can be triggered via HTTP requests, leading to DOM manipulation in the victim's browser [1]. No authenticated privileges beyond the user's role are needed to initiate the attack, but the victim must be logged into WordPress.

Impact

Successful exploitation allows an attacker to inject arbitrary JavaScript, HTML, or other content into the affected site. This can result in malicious redirects, display of unauthorized advertisements, or other payloads that execute when visitors load the compromised page [1]. The vulnerability is classified as High severity (CVSS 7.1) and is considered likely to be exploited in mass-attack campaigns targeting thousands of sites.

Mitigation & Response

As of the publication date (2026-02-20), no official patch for version 2.1.2 has been released by the plugin author. However, a mitigation rule is available through Patchstack that blocks exploit attempts until an update can be safely applied. Users are strongly advised to update the plugin to a patched version once available, or to contact their hosting provider for assistance [1].