CVE-2025-47652

2025-07-16 [email protected]
XSS Information Disclosure

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 12:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global infility-global allows Reflected XSS.This issue affects Infility Global: from n/a through <= 2.13.4.

AnalysisAI

Reflected cross-site scripting (XSS) in Infility Global WordPress plugin through version 2.13.4 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during page generation, enabling attackers to steal session cookies, perform actions on behalf of users, or redirect victims to malicious sites. No public exploit code or active exploitation has been confirmed at the time of analysis, though the low EPSS score (0.04%) suggests limited practical exploitation likelihood despite the XSS attack vector.

Technical ContextAI

This is a reflected XSS vulnerability (CWE-79) in the Infility Global WordPress plugin, a content management plugin for WordPress. The root cause is improper neutralization of user-supplied input before rendering it in HTML context during web page generation. Reflected XSS vulnerabilities occur when untrusted data is echoed back to the browser in HTTP responses without proper encoding or sanitization, allowing attackers to craft malicious URLs that execute arbitrary JavaScript in the victim's browser. The vulnerability affects the plugin versions through 2.13.4, suggesting that user input parameters are being rendered directly into page output without escaping HTML special characters or applying content security measures.

Affected ProductsAI

Infility Global WordPress plugin is affected in all versions from an unspecified baseline through version 2.13.4. The plugin is distributed via the official WordPress plugin repository and is identified by the slug 'infility-global'. CPE information is not provided in the available data, but WordPress installations with this plugin installed and activated are at risk. For full advisory details, refer to the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/infility-global/vulnerability/wordpress-infility-global-plugin-2-11-2-reflected-cross-site-scripting-xss-vulnerability.

RemediationAI

Update Infility Global WordPress plugin to a version beyond 2.13.4 immediately. The exact patched version number is not specified in the available data; consult the official plugin repository or the Patchstack advisory for the recommended upgrade version. After updating, test the plugin's functionality to ensure compatibility with your WordPress theme and other plugins. As an interim measure before patching, restrict access to pages that may be vulnerable to XSS (if known) and educate users not to click on suspicious links from untrusted sources. Additionally, implement a Web Application Firewall (WAF) rule to detect and block common XSS payloads if feasible. See https://patchstack.com/database/Wordpress/Plugin/infility-global/vulnerability/wordpress-infility-global-plugin-2-11-2-reflected-cross-site-scripting-xss-vulnerability for additional guidance.

Share

CVE-2025-47652 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy