NextMove Lite CVE-2025-52735
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
7DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Reflected XSS.This issue affects NextMove Lite: from n/a through <= 2.24.0.
AnalysisAI
Reflected cross-site scripting in NextMove Lite (WordPress thank-you page plugin) versions ≤2.24.0 allows unauthenticated remote attackers to execute malicious JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but achieves scope change per CVSS vector, enabling session hijacking, credential theft, or malicious actions under victim's WordPress session. EPSS score of 0.03% (8th percentile) indicates low probability of mass exploitation, though XSS vulnerabilities are commonly used in targeted social engineering campaigns against WordPress site administrators.
Technical ContextAI
NextMove Lite (woo-thank-you-page-nextmove-lite) is a WordPress plugin for customizing WooCommerce thank-you pages post-checkout. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), where user-supplied input reflected in HTML output lacks proper sanitization or encoding. WordPress plugins frequently handle URL parameters, form inputs, or AJAX requests without adequate escaping via WordPress sanitization functions (esc_html, esc_attr, wp_kses). The CVSS scope change (S:C) suggests the XSS can affect resources beyond the vulnerable plugin's own context, potentially compromising the WordPress admin session or other site components. Affected versions identified via CPE are all NextMove Lite releases through 2.24.0 for WordPress.
RemediationAI
Upgrade NextMove Lite plugin to version 2.24.1 or later if available, checking WordPress plugin repository or XLPlugins vendor site for patched release. Verify patch availability at https://patchstack.com/database/Wordpress/Plugin/woo-thank-you-page-nextmove-lite/vulnerability/wordpress-nextmove-lite-plugin-2-20-0-cross-site-scripting-xss-vulnerability?_s_id=cve for specific fix version confirmation. If no patched version exists, implement compensating controls: restrict plugin admin page access to trusted IP ranges via .htaccess or security plugin rules (trade-off: reduces administrative flexibility for remote staff); deploy WordPress security plugin with XSS filtering rules like Wordfence or Sucuri (trade-off: performance overhead, potential false positives blocking legitimate inputs); disable NextMove Lite plugin entirely if thank-you page customization is non-critical business requirement (trade-off: loss of post-purchase engagement features). Educate WordPress administrators to avoid clicking unverified links in emails or support tickets, and implement Content Security Policy headers to restrict inline script execution.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today