Skip to main content

Doliconnect CVE-2025-53574

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-11-06 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Analysis Updated
Apr 24, 2026 - 00:48 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
Severity Changed
Apr 23, 2026 - 15:43 NVD
MEDIUM HIGH
CVSS changed
Apr 23, 2026 - 15:43 NVD
6.1 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Mar 28, 2026 - 19:20 vuln.today
CVE Published
Nov 06, 2025 - 16:15 nvd
MEDIUM 6.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ptibogxiv Doliconnect doliconnect allows Reflected XSS.This issue affects Doliconnect: from n/a through <= 9.3.2.

AnalysisAI

Reflected cross-site scripting (XSS) in Doliconnect WordPress plugin versions up to 9.3.2 allows remote attackers to execute arbitrary JavaScript in victims' browsers through malicious links. The vulnerability requires user interaction (clicking a crafted link) but needs no authentication, enabling session hijacking, credential theft, or malicious actions in the context of the victim's WordPress session. EPSS score of 0.05% indicates very low observed exploitation probability, and no active exploitation or public proof-of-concept has been identified at time of analysis.

Technical ContextAI

Doliconnect is a WordPress plugin that integrates Dolibarr ERP/CRM functionality into WordPress sites. This vulnerability stems from improper neutralization of user-supplied input before rendering it in HTML responses (CWE-79: Cross-site Scripting). The reflected XSS variant means malicious scripts are embedded in URL parameters or form data that are immediately echoed back in the HTTP response without proper sanitization or output encoding. The changed scope (S:C) in the CVSS vector indicates the vulnerable component (Doliconnect plugin) can impact resources beyond its security scope, specifically the WordPress application and user sessions. WordPress plugins commonly introduce XSS through inadequate use of WordPress escaping functions like esc_html(), esc_url(), or wp_kses() when processing GET/POST parameters or rendering user-controllable data in templates.

Affected ProductsAI

Doliconnect WordPress plugin versions from the initial release through version 9.3.2 are confirmed vulnerable per Patchstack advisory. The plugin is developed by ptibogxiv and available through the WordPress.org plugin repository. Organizations using Doliconnect to integrate Dolibarr ERP/CRM with WordPress sites should verify their installed version in the WordPress admin panel under Plugins. The vulnerability affects all WordPress installations running affected Doliconnect versions regardless of underlying PHP or WordPress core version. Patchstack vulnerability database entry available at https://patchstack.com/database/Wordpress/Plugin/doliconnect/vulnerability/wordpress-doliconnect-plugin-9-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve

RemediationAI

Update Doliconnect to version 9.3.3 or later if available through the WordPress plugin repository or the vendor's official distribution channel. Check the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/doliconnect/vulnerability/wordpress-doliconnect-plugin-9-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve for confirmed patched version details, as the exact fix version is not independently verified in the provided data. If immediate patching is not possible, implement compensating controls: configure Content Security Policy (CSP) headers with strict script-src directives to block inline JavaScript execution, though this may break legitimate plugin functionality requiring careful testing; deploy web application firewall (WAF) rules to detect and block common XSS payloads in HTTP parameters, noting this provides defense-in-depth but can be bypassed with obfuscation; educate users to avoid clicking untrusted links pointing to the WordPress admin area or plugin endpoints, particularly links received via email or messaging platforms. Consider temporarily disabling the Doliconnect plugin if Dolibarr integration is not business-critical until a verified patch is deployed. After updating, test all Doliconnect functionality including form submissions and ERP data synchronization to ensure the patch does not introduce regressions.

Share

CVE-2025-53574 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy