CVE-2025-68875

Vulnerability

Overview

The Flaming Password Reset plugin for WordPress versions up to and including 1.0.3 contains a Stored Cross-Site Scripting (XSS) vulnerability [1]. The issue stems from improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript code that is stored on the server and later executed in the browsers of visitors [1].

Exploitation

Prerequisites

Exploitation requires a privileged user to perform an action such as clicking a malicious link or submitting a crafted form [1]. Once triggered, the injected payload persists in the application and executes whenever other users view the affected page [1]. The attacker does not need high-volume traffic to succeed, as campaigns often target thousands of sites simultaneously [1].

Impact on

Affected Sites

Successful exploitation allows an attacker to inject malicious scripts including redirects, advertisements, or other HTML payloads [1]. These scripts execute when guests visit the compromised site, potentially leading to data theft, session hijacking, or further defacement [1].

Mitigation and

Remediation

The vendor has not yet released an official patch for this vulnerability [1]. As immediate action, administrators should update the plugin when a patched version becomes available or contact their hosting provider for assistance [1]. Patchstack has issued a mitigation rule to block attacks until an official fix can be safely applied [1].