Skip to main content

NextMove Lite CVE-2025-52735

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-10-22 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Analysis Updated
Apr 24, 2026 - 01:13 vuln.today
v3 (cvss_changed)
Analysis Updated
Apr 24, 2026 - 01:13 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Severity Changed
Apr 23, 2026 - 15:42 NVD
MEDIUM HIGH
CVSS changed
Apr 23, 2026 - 15:42 NVD
6.5 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Oct 22, 2025 - 15:15 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Reflected XSS.This issue affects NextMove Lite: from n/a through <= 2.24.0.

AnalysisAI

Reflected cross-site scripting in NextMove Lite (WordPress thank-you page plugin) versions ≤2.24.0 allows unauthenticated remote attackers to execute malicious JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but achieves scope change per CVSS vector, enabling session hijacking, credential theft, or malicious actions under victim's WordPress session. EPSS score of 0.03% (8th percentile) indicates low probability of mass exploitation, though XSS vulnerabilities are commonly used in targeted social engineering campaigns against WordPress site administrators.

Technical ContextAI

NextMove Lite (woo-thank-you-page-nextmove-lite) is a WordPress plugin for customizing WooCommerce thank-you pages post-checkout. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), where user-supplied input reflected in HTML output lacks proper sanitization or encoding. WordPress plugins frequently handle URL parameters, form inputs, or AJAX requests without adequate escaping via WordPress sanitization functions (esc_html, esc_attr, wp_kses). The CVSS scope change (S:C) suggests the XSS can affect resources beyond the vulnerable plugin's own context, potentially compromising the WordPress admin session or other site components. Affected versions identified via CPE are all NextMove Lite releases through 2.24.0 for WordPress.

RemediationAI

Upgrade NextMove Lite plugin to version 2.24.1 or later if available, checking WordPress plugin repository or XLPlugins vendor site for patched release. Verify patch availability at https://patchstack.com/database/Wordpress/Plugin/woo-thank-you-page-nextmove-lite/vulnerability/wordpress-nextmove-lite-plugin-2-20-0-cross-site-scripting-xss-vulnerability?_s_id=cve for specific fix version confirmation. If no patched version exists, implement compensating controls: restrict plugin admin page access to trusted IP ranges via .htaccess or security plugin rules (trade-off: reduces administrative flexibility for remote staff); deploy WordPress security plugin with XSS filtering rules like Wordfence or Sucuri (trade-off: performance overhead, potential false positives blocking legitimate inputs); disable NextMove Lite plugin entirely if thank-you page customization is non-critical business requirement (trade-off: loss of post-purchase engagement features). Educate WordPress administrators to avoid clicking unverified links in emails or support tickets, and implement Content Security Policy headers to restrict inline script execution.

Share

CVE-2025-52735 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy