CVE-2025-69392

Vulnerability

Overview

The iMoney plugin for WordPress, in versions 0.36 and earlier, contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This flaw arises when the plugin fails to sanitize or escape data before including it in output, allowing an attacker to inject arbitrary HTML and JavaScript code [1].

Exploitation

Conditions

Attackers can exploit this vulnerability by crafting a malicious URL that, when clicked by a privileged user (such as an administrator), executes the injected script in the context of the victim's browser session. No authentication is required to craft the attack, but user interaction is necessary—the victim must visit the specially crafted link or submit a form [1]. This makes the vulnerability suitable for mass phishing campaigns targeting WordPress site administrators.

Impact

Successful exploitation allows an attacker to perform actions that the victim can, including redirecting visitors to malicious sites, injecting advertisements, or stealing session cookies and other sensitive data. The CVSS v3 base score is 7.1 (High), reflecting the potential for significant impact on the confidentiality, integrity, and availability of the affected site [1].

Mitigation

As of the publication date, no official patch has been released for the iMoney plugin. The vendor has not responded to the disclosure. Users are advised to immediately update the plugin if a patch becomes available, or to implement a Web Application Firewall (WAF) rule—such as the one provided by Patchstack—to block exploitation attempts until a fix can be applied [1]. Given that this vulnerability is expected to be used in mass-exploit campaigns, immediate action is strongly recommended.