CVE-2025-68991

Vulnerability

Overview The BWL Pro Voting Manager plugin for WordPress (versions up to and including 1.4.9) contains a DOM-based Cross-Site Scripting (XSS) vulnerability. The root cause is improper neutralization of user input during web page generation, allowing an attacker to inject arbitrary JavaScript code into the DOM of a victim's browser. [1]

Exploitation

Path Exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page. The vulnerability can be triggered without authentication, though the reference notes that successful exploitation typically depends on a victim performing an action. The attack vector is over the network, with low complexity and no special privileges required beyond the ability to deliver a crafted payload to a user. [1]

Impact

A successful attack allows an attacker to execute arbitrary scripts in the context of the victim's session within the WordPress admin or frontend, depending on where the vulnerable functionality resides. This can lead to session hijacking, redirection to malicious sites, or injection of advertisements or other HTML payloads visible to site visitors. The CVSS score of 6.5 reflects the medium severity due to the need for user interaction and the potential for widespread abuse. [1]

Mitigation

The vendor has not released a patched version beyond 1.4.9 at the time of disclosure. Users are advised to update the plugin immediately if a fix becomes available, or to contact their hosting provider for assistance. The vulnerability is tracked in the Patchstack database and is flagged as a risk for mass exploitation campaigns. [1]