CVE-2025-69018
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shamalli Web Directory Free web-directory-free allows DOM-Based XSS.This issue affects Web Directory Free: from n/a through <= 1.7.12.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
DOM-Based XSS vulnerability in Web Directory Free plugin up to 1.7.12 allows malicious script injection via user interaction.
The Web Directory Free plugin for WordPress, versions up to and including 1.7.12, suffers from a DOM-Based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation [1]. This flaw enables an attacker to inject arbitrary JavaScript code that executes in the context of the victim's browser.
Exploitation requires user interaction, such as clicking a crafted link or visiting a malicious page [1]. A privileged user (e.g., an administrator) must perform the action, but the injected script runs for any visitor to the affected site [1]. The vulnerability is rated CVSS 6.5 (Medium) and is categorized under CWE-79 [1].
Successful exploitation allows an attacker to execute arbitrary scripts, which can be used for redirects, displaying advertisements, or other HTML payloads [1]. This could lead to defacement, data theft, or further compromise of the site's visitors [1].
The vulnerability has been patched in version 1.7.13 [1]. Users are strongly advised to update immediately. For those unable to update, implementing a web application firewall or consulting a security professional is recommended [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.7.12
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.