CVE-2025-68873

The PRIMER by chloédigital WordPress plugin versions 1.0.25 and earlier contain a reflected cross-site scripting (XSS) vulnerability. The root cause is improper neutralization of user-supplied input during web page generation [1]. This allows an attacker to inject arbitrary HTML and JavaScript into the application's response.

To exploit this vulnerability, an attacker must trick a privileged user (such as an administrator) into clicking a malicious link or visiting a crafted page. No direct authentication from the attacker is required, but the target user must be logged into the WordPress site. The attack surface is the plugin's handling of requests that reflect input back to the user [1].

Successful exploitation could allow the attacker to execute malicious scripts in the context of the victim's browser session. This can lead to actions such as redirecting visitors to malicious sites, injecting advertisements, or stealing sensitive session data [1]. The CVSS v3 base score is 7.1 (High), reflecting the need for user interaction and the moderate potential impact.

Patchstack has released a mitigation rule to block attacks until an official patch is available [1]. Website administrators should update the plugin to a patched version as soon as possible, or apply a workaround provided by a hosting provider or security solution [1].