seekXL Snapr CVE-2025-25087
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound seekXL Snapr allows Reflected XSS. This issue affects seekXL Snapr: from n/a through 2.0.6.
AnalysisAI
Reflected XSS in seekXL Snapr WordPress plugin (versions through 2.0.6) allows remote attackers to inject malicious scripts via unsanitized input parameters, executing arbitrary JavaScript in victim browsers when users click crafted links. The CVSS 7.1 score reflects changed scope (S:C) indicating potential impact beyond the vulnerable component, though the low EPSS score (0.09%, 26th percentile) suggests minimal active exploitation. Patchstack published the vulnerability details, but no vendor patch version beyond 2.0.6 is confirmed in available data.
Technical ContextAI
This is a classic reflected XSS vulnerability (CWE-79) in the seekXL Snapr WordPress plugin, caused by inadequate input sanitization during web page generation. The plugin fails to properly neutralize user-supplied input before reflecting it in HTTP responses, allowing attackers to inject arbitrary HTML and JavaScript. As a WordPress plugin vulnerability, this affects sites using seekXL Snapr for screenshot capture functionality. The vulnerability exists in all versions up to and including 2.0.6, suggesting a longstanding input validation deficiency in the plugin's codebase. Reflected XSS differs from stored XSS in that the malicious payload is delivered and executed immediately via the HTTP request rather than persisted in the application database.
Affected ProductsAI
seekXL Snapr WordPress plugin versions from the earliest release through version 2.0.6 are confirmed vulnerable per Patchstack advisory. The vulnerability affects WordPress installations with this plugin active. Patchstack references indicate WordPress-specific implementation at https://patchstack.com/database/wordpress/plugin/seekxl-snapr/vulnerability/wordpress-seekxl-snapr-plugin-2-0-6-reflected-cross-site-scripting-xss-vulnerability. No CPE identifier was provided in the vulnerability data, and no other platforms or products are identified as affected.
RemediationAI
Remove or disable the seekXL Snapr plugin until a patched version is confirmed available, as no fix version beyond 2.0.6 is independently verified in current data. Monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/seekxl-snapr/vulnerability/wordpress-seekxl-snapr-plugin-2-0-6-reflected-cross-site-scripting-xss-vulnerability for vendor patch announcements. As interim compensating controls, implement Web Application Firewall (WAF) rules to block common XSS patterns in requests to the plugin endpoints - though this adds latency and maintenance overhead for signature updates. Configure Content Security Policy (CSP) headers to restrict inline script execution, which prevents many XSS payloads but may break legitimate plugin functionality requiring testing. Educate users about not clicking untrusted links to site URLs, though this provides limited protection against targeted attacks. If the plugin is non-essential, permanent removal eliminates the attack surface entirely.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today