CVE-2025-69302

Vulnerability

Overview The DesignThemes Core Features plugin for WordPress versions up to 2.3 contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This allows an attacker to inject arbitrary HTML and JavaScript into a page, which is then executed in the context of the victim's browser [1].

Exploitation

Details Exploitation requires user interaction, such as clicking a crafted link or visiting a specially prepared page. The vulnerability is classified as reflected XSS, meaning the malicious payload is not stored but delivered via a request. No authentication is required to trigger the vulnerability, but the victim must be a user of the affected site [1].

Impact

Successful exploitation could allow an attacker to perform actions such as redirecting users to malicious sites, displaying advertisements, or stealing sensitive information. The CVSS score of 7.1 indicates a high severity, and the vulnerability is expected to be used in mass-exploit campaigns targeting WordPress sites [1].

Mitigation

The vendor has not yet released a patch, but Patchstack has issued a mitigation rule to block attacks until an official fix is available. Users are advised to update the plugin as soon as a patch is released or apply the mitigation rule. If unable to update, consult a hosting provider or web developer for assistance [1].