CVE-2025-68880

Vulnerability

Overview

The Simple Archive Generator WordPress plugin (versions up to and including 5.2) contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject arbitrary HTML and JavaScript code that is executed in the browser of a victim who follows a crafted link or interacts with a specially crafted request.

Attack

Vector and Requirements

The vulnerability is reflected XSS, meaning the injected script is immediately returned in the server's response and does not persist in the database. Exploitation requires user interaction—the victim must click a malicious link, visit a manipulated page, or submit a crafted form [1]. No authentication is needed for the attacker; the vulnerability is initiated by an unauthenticated role. The attacker can target any WordPress site running the affected plugin without needing elevated privileges.

Impact

Successful exploitation allows an attacker to execute arbitrary scripts in the context of the victim's browser session on the affected site [1]. This can be leveraged to perform actions such as redirecting visitors to malicious sites, displaying unwanted advertisements, stealing session cookies, or defacing the website. The CVSS v3 base score is 7.1 (High), reflecting the potential for significant impact with relatively low attack complexity.

Mitigation and

Status

The vulnerability is publicly disclosed and is expected to be exploited in mass campaigns [1]. As of the publication date, no official patch had been released, but Patchstack has issued a mitigation rule to block attacks until a fix becomes available. The recommended immediate action is to update the plugin to a patched version once released, or to apply a web application firewall rule [1]. Users unable to update should contact their hosting provider or web developer for assistance.