CVE-2025-52779

2025-07-16 [email protected]
PHP XSS

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 12:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in karimmughal Dot html,php,xml etc pages dot-htmlphpxml-etc-pages allows Reflected XSS.This issue affects Dot html,php,xml etc pages: from n/a through <= 1.0.

AnalysisAI

Reflected cross-site scripting (XSS) in the WordPress plugin Dot html,php,xml etc pages version 1.0 and earlier allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during page generation, enabling attackers to execute arbitrary JavaScript in victims' browsers. While a public advisory exists, the EPSS score of 0.04% indicates low exploitation probability, and no active exploitation or public proof-of-concept has been confirmed.

Technical ContextAI

The vulnerability is a reflected XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in a WordPress plugin that processes HTML, PHP, XML, and other page types. The root cause is insufficient sanitization of user-supplied input before rendering it in web page output. Reflected XSS occurs when untrusted input is echoed back to the user's browser without escaping or validation, allowing attackers to inject HTML and JavaScript payloads. The affected plugin (CPE data not provided in sources) is a WordPress plugin authored by karimmughal that handles multiple file type formats.

Affected ProductsAI

The vulnerable product is the WordPress plugin "Dot html,php,xml etc pages" version 1.0 and all earlier versions, authored by karimmughal. The plugin is distributed through WordPress.org and processes multiple file type formats. Specific CPE data was not provided in available references, but the advisory is documented in the Patchstack vulnerability database for WordPress plugins.

RemediationAI

Users should upgrade the "Dot html,php,xml etc pages" plugin to a patched version released after 1.0. For current version status and exact patch availability, refer to the official advisory at https://patchstack.com/database/Wordpress/Plugin/dot-htmlphpxml-etc-pages/vulnerability/wordpress-dot-html-php-xml-etc-pages-1-0-cross-site-scripting-xss-vulnerability. If the plugin is no longer maintained or a patch is unavailable, consider replacing it with an actively maintained alternative that properly sanitizes input. As an interim measure, restrict plugin functionality or disable it until patched. Website administrators should audit user input handling across all custom pages and ensure output encoding is applied consistently using WordPress sanitization functions (e.g., wp_kses_post, esc_html).

Share

CVE-2025-52779 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy