Skip to main content

WP Less Compiler CVE-2025-25142

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:16 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP Less Compiler allows Stored XSS. This issue affects WP Less Compiler: from n/a through 1.3.0.

AnalysisAI

Stored cross-site scripting in WP Less Compiler WordPress plugin versions through 1.3.0 enables remote unauthenticated attackers to inject malicious scripts that execute in victim browsers when triggered by user interaction. The vulnerability affects a WordPress LESS CSS preprocessor plugin, with scope change (S:C) indicating potential attack escalation beyond the plugin's security context. EPSS score of 0.09% (26th percentile) suggests low probability of widespread exploitation attempts. No active exploitation confirmed by CISA KEV at time of analysis.

Technical ContextAI

WP Less Compiler is a WordPress plugin that compiles LESS (Leaner Style Sheets) into CSS for theme development. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating insufficient input sanitization or output encoding when processing user-supplied data. In WordPress plugins, stored XSS typically occurs when plugin settings, configuration fields, or user-generated content are saved to the database without proper validation and later rendered without escaping. The attack vector (AV:N) confirms the vulnerability is accessible through WordPress's web interface, while the changed scope (S:C) in the CVSS vector suggests the injected script can operate beyond the plugin's intended privilege boundaries, potentially accessing WordPress admin session tokens or performing actions across the WordPress application context.

Affected ProductsAI

WordPress WP Less Compiler plugin versions from earliest available release through version 1.3.0 (inclusive). The vulnerability affects all installations running version 1.3.0 or earlier. Patchstack vulnerability database reference available at https://patchstack.com/database/wordpress/plugin/wp-less-compiler/vulnerability/wordpress-wp-less-compiler-plugin-1-3-0-cross-site-scripting-xss-vulnerability providing detailed analysis. No CPE string provided in vulnerability data. Plugin is distributed through WordPress.org plugin repository under slug 'wp-less-compiler'.

RemediationAI

Primary remediation: Upgrade WP Less Compiler to version 1.3.1 or later if a patched release has been issued. At time of analysis, Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wp-less-compiler/vulnerability/wordpress-wp-less-compiler-plugin-1-3-0-cross-site-scripting-xss-vulnerability) confirms the vulnerability but patch version availability requires verification from plugin developer or WordPress.org repository. If no patch is available, implement compensating controls: restrict plugin configuration access to only super-administrators via WordPress role management, implement Content Security Policy headers with 'script-src self' directive to block inline script execution (trade-off: may break legitimate WordPress admin functionality requiring inline scripts), or remove the plugin entirely and migrate to alternative LESS compilation solutions such as WP-SCSS or server-side build tools like Webpack. Audit existing plugin settings and stored content for injected script payloads matching common XSS patterns (script tags, event handlers, javascript: protocols).

Share

CVE-2025-25142 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy