Skip to main content

seekXL Snapr CVE-2025-25087

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:33 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound seekXL Snapr allows Reflected XSS. This issue affects seekXL Snapr: from n/a through 2.0.6.

AnalysisAI

Reflected XSS in seekXL Snapr WordPress plugin (versions through 2.0.6) allows remote attackers to inject malicious scripts via unsanitized input parameters, executing arbitrary JavaScript in victim browsers when users click crafted links. The CVSS 7.1 score reflects changed scope (S:C) indicating potential impact beyond the vulnerable component, though the low EPSS score (0.09%, 26th percentile) suggests minimal active exploitation. Patchstack published the vulnerability details, but no vendor patch version beyond 2.0.6 is confirmed in available data.

Technical ContextAI

This is a classic reflected XSS vulnerability (CWE-79) in the seekXL Snapr WordPress plugin, caused by inadequate input sanitization during web page generation. The plugin fails to properly neutralize user-supplied input before reflecting it in HTTP responses, allowing attackers to inject arbitrary HTML and JavaScript. As a WordPress plugin vulnerability, this affects sites using seekXL Snapr for screenshot capture functionality. The vulnerability exists in all versions up to and including 2.0.6, suggesting a longstanding input validation deficiency in the plugin's codebase. Reflected XSS differs from stored XSS in that the malicious payload is delivered and executed immediately via the HTTP request rather than persisted in the application database.

Affected ProductsAI

seekXL Snapr WordPress plugin versions from the earliest release through version 2.0.6 are confirmed vulnerable per Patchstack advisory. The vulnerability affects WordPress installations with this plugin active. Patchstack references indicate WordPress-specific implementation at https://patchstack.com/database/wordpress/plugin/seekxl-snapr/vulnerability/wordpress-seekxl-snapr-plugin-2-0-6-reflected-cross-site-scripting-xss-vulnerability. No CPE identifier was provided in the vulnerability data, and no other platforms or products are identified as affected.

RemediationAI

Remove or disable the seekXL Snapr plugin until a patched version is confirmed available, as no fix version beyond 2.0.6 is independently verified in current data. Monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/seekxl-snapr/vulnerability/wordpress-seekxl-snapr-plugin-2-0-6-reflected-cross-site-scripting-xss-vulnerability for vendor patch announcements. As interim compensating controls, implement Web Application Firewall (WAF) rules to block common XSS patterns in requests to the plugin endpoints - though this adds latency and maintenance overhead for signature updates. Configure Content Security Policy (CSP) headers to restrict inline script execution, which prevents many XSS payloads but may break legitimate plugin functionality requiring testing. Educate users about not clicking untrusted links to site URLs, though this provides limited protection against targeted attacks. If the plugin is non-essential, permanent removal eliminates the attack surface entirely.

Share

CVE-2025-25087 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy