CVE-2025-52735

MEDIUM
2025-10-22 [email protected]
WordPress PHP XSS Nextmove
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Oct 22, 2025 - 15:15 nvd
MEDIUM 6.5

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Reflected XSS.This issue affects NextMove Lite: from n/a through <= 2.24.0.

AnalysisAI

Reflected cross-site scripting (XSS) in XLPlugins NextMove Lite WordPress plugin versions up to 2.24.0 allows authenticated attackers to inject malicious scripts via unvalidated input during web page generation. An attacker with user credentials can craft a malicious link that, when clicked by another user, executes arbitrary JavaScript in their browser context. The vulnerability carries a moderate CVSS score of 6.5 but exhibits very low real-world exploitation probability (EPSS 0.03%, 8th percentile), indicating it has not been actively exploited in practice despite the presence of public vulnerability disclosure.

Technical ContextAI

This vulnerability stems from improper input neutralization during dynamic HTML generation, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The NextMove Lite plugin (CPE: cpe:2.3:a:xlplugins:nextmove:*:*:*:*:lite:wordpress:*:*) fails to sanitize or escape user-supplied input before rendering it in web pages, allowing attackers to inject arbitrary HTML and JavaScript. The reflected nature of the XSS means the malicious payload is delivered via URL parameters rather than stored in a database, requiring social engineering to trick victims into clicking malicious links. The authentication requirement (PR:L per CVSS vector) limits exploitation to users with WordPress user accounts, typically reducing the threat surface compared to unauthenticated XSS vulnerabilities.

RemediationAI

Users should upgrade NextMove Lite to the latest version immediately upon release, as patch version information is not explicitly confirmed in available data. Visit the Patchstack WordPress plugin vulnerability database (https://patchstack.com/database/Wordpress/Plugin/woo-thank-you-page-nextmove-lite/) for the most current fix version and advisory details. In the interim, restrict plugin access to trusted administrators only and disable the plugin if it is not actively required. Additionally, implement Web Application Firewall (WAF) rules to detect and block reflected XSS payloads targeting the affected plugin's vulnerable input fields, and enforce Content Security Policy (CSP) headers to limit JavaScript execution scope.

Share

CVE-2025-52735 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy