CVE-2025-68867

Vulnerability

Overview

The Effect Maker plugin for WordPress (versions up to and including 1.2.1) suffers from a DOM-Based Cross-Site Scripting (XSS) vulnerability. The root cause is improper neutralization of user-controlled input during web page generation, allowing an attacker to inject arbitrary JavaScript into the DOM of a victim's browser. This is classified under CWE-79 and has a CVSS v3 score of 6.5 (Medium) [1].

Exploitation

Details

Exploitation requires user interaction—a privileged user must perform an action such as clicking a malicious link, visiting a crafted page, or submitting a form. Although the vulnerability can be initiated by an unauthenticated attacker, successful execution depends on a victim (e.g., an administrator) interacting with the crafted content. The attack is delivered via DOM manipulation, without requiring server-side request forgery or other network-level prerequisites [1].

Impact

An attacker able to exploit this flaw can inject scripts that execute in the context of the victim's session. This can lead to redirecting users to malicious sites, displaying unauthorized advertisements, stealing sensitive data, or performing actions on behalf of the impacted user. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of WordPress sites regardless of their traffic or popularity [1].

Mitigation

The vendor has not released an official patch as of the publication date. However, Patchstack has provided a virtual mitigation rule to block attacks until an official update is available and can be safely applied. As an immediate action, users should update the plugin if a patched version is released. If updating is not possible, consulting a hosting provider or web developer for assistance is recommended [1].