CVE-2025-23550

2025-12-30 [email protected]
XSS PHP

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 16:39 vuln.today
CVE Published
Dec 30, 2025 - 00:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kemal YAZICI Product Puller product-puller allows Reflected XSS.This issue affects Product Puller: from n/a through <= 1.5.1.

AnalysisAI

Reflected cross-site scripting (XSS) in the Product Puller WordPress plugin through version 1.5.1 allows unauthenticated attackers to inject malicious JavaScript into web pages viewed by other users. The vulnerability stems from improper input sanitization in the plugin's request handling, enabling attackers to craft malicious URLs that execute arbitrary scripts in victim browsers. No public exploit code has been identified, and the EPSS score of 0.04% indicates low exploitation probability in the wild, though the vulnerability remains remotely exploitable without authentication.

Technical ContextAI

This vulnerability is a reflected cross-site scripting (XSS) vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The Product Puller WordPress plugin fails to properly sanitize and validate user-supplied input before rendering it in HTML responses. WordPress plugins are executed in the context of the WordPress core application, which provides security functions like wp_kses_post() and esc_attr() for output escaping. The plugin's failure to use these functions or equivalent input validation mechanisms allows an attacker to inject HTML/JavaScript payloads through URL parameters or form data, which are then reflected directly in the page response without neutralization. Reflected XSS differs from stored XSS in that the malicious payload is not persisted in a database; rather, it must be delivered via a crafted link or embedded in a request that the victim clicks.

Affected ProductsAI

The Product Puller WordPress plugin by Kemal YAZICI is affected in all versions from initial release through version 1.5.1. The vulnerable plugin is available on the WordPress plugin repository and affects any WordPress installation with this plugin active. Affected installations may be identified by the plugin slug 'product-puller' and version numbers up to and including 1.5.1. Additional information and vulnerability details are available at the Patchstack vulnerability database entry linked in the references.

RemediationAI

Users should update the Product Puller plugin to a version newer than 1.5.1 immediately. Check the WordPress admin plugins page for available updates and apply them automatically or manually through the WordPress dashboard. If an updated version is not yet available from the vendor, disable the Product Puller plugin temporarily until a patched version is released. Additionally, implement a Web Application Firewall (WAF) rule to detect and block common XSS payloads in URL parameters and form submissions as a temporary mitigation. For detailed advisory information and any available fixes, refer to the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/product-puller/vulnerability/wordpress-product-puller-plugin-1-5-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

Share

CVE-2025-23550 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy