CVE-2025-68856

Vulnerability

Overview

CVE-2025-68856 is a DOM-Based Cross-Site Scripting (XSS) vulnerability discovered in the WordPress Mopinion Feedback Form plugin, affecting all versions up to and including 1.1.1. The root cause is improper neutralization of user input during web page generation, allowing an attacker to inject arbitrary JavaScript code into the DOM of a victim's browser.

Exploitation

Details

Exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page. The attacker does not need authentication to deliver the payload, but the target user must perform an action for the script to execute. This makes the vulnerability suitable for mass-exploit campaigns where attackers target thousands of websites regardless of their popularity.

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This could lead to redirecting users to malicious sites, injecting advertisements, or stealing sensitive information such as session cookies. The CVSS v3 score is 7.1 (High), reflecting the potential for widespread harm.

Mitigation

The vendor has not yet released an official patch, but users are advised to update the plugin as soon as a patched version becomes available. In the interim, a mitigation rule is available from Patchstack to block attacks until a tested patch can be applied. Immediate action is recommended given the vulnerability's likelihood of exploitation [1].