CVE-2025-69033

The Blog Filter plugin for WordPress, version 1.7.3 and earlier, contains a DOM-based Cross-Site Scripting (XSS) vulnerability stemming from improper neutralization of user input during web page generation. This flaw enables an attacker to inject arbitrary JavaScript into a page's DOM environment, bypassing typical server-side filters [1].

The attack surface requires user interaction. While exploitation can be initiated by a low-privileged role, successful execution demands that a privileged user—such as an administrator—performs an action like clicking a malicious link or visiting a crafted page. This dependency on user interaction lowers the immediate risk but still opens the door for targeted attacks or campaign-driven campaigns [1].

Impact includes the ability for an attacker to inject malicious scripts, resulting in activities such as unwanted redirects, injected advertisements, or other HTML payloads that execute when visitors access the affected site. The CVSS v3 score of 6.5 reflects a medium severity, and the vulnerability is considered low severity by the vendor, though it has been noted for use in mass-exploit scenarios against WordPress sites [1].

A fix was released in version 1.7.4 of the plugin. Users are strongly advised to update immediately to the latest version. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended. Patchstack subscribers can enable auto-updates to protect vulnerable plugins automatically [1].