Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ex-Themes WooTour woo-tour allows Reflected XSS.This issue affects WooTour: from n/a through <= 3.6.3.
AnalysisAI
Reflected Cross-Site Scripting (XSS) in WooTour plugin for WordPress versions up to 3.6.3 allows remote unauthenticated attackers to execute malicious JavaScript in victim browsers by tricking users into clicking crafted links. The vulnerability stems from improper neutralization of user input during web page generation. EPSS score of 0.08% indicates low likelihood of mass exploitation, and no active exploitation has been reported by CISA KEV at time of analysis.
Technical ContextAI
WooTour is a WordPress plugin by Ex-Themes for tour and travel booking functionality. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic reflected XSS flaw. This occurs when user-supplied input from HTTP request parameters is echoed directly into HTML responses without proper sanitization, encoding, or validation. In WordPress plugin context, this typically affects admin or public-facing pages that process GET/POST parameters and render them in the DOM without using WordPress escaping functions like esc_html(), esc_attr(), or esc_js(). The Scope:Changed metric in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component's security scope, consistent with XSS that can target other WordPress users or sessions.
Affected ProductsAI
The vulnerability affects Ex-Themes WooTour (woo-tour) plugin for WordPress, all versions from the initial release through version 3.6.3 inclusive. This is a commercial WordPress plugin used for tour booking and travel management functionality. The Patchstack database reference confirms the vulnerability applies to WordPress installations with WooTour plugin version 3.6.3 and earlier. No CPE identifiers were provided in the source data. Vendor advisory and patch information can be found at https://patchstack.com/database/Wordpress/Plugin/woo-tour/vulnerability/wordpress-wootour-plugin-3-6-3-cross-site-scripting-xss-vulnerability?_s_id=cve.
RemediationAI
Upgrade WooTour plugin to version 3.6.4 or later if available, or apply vendor-provided security patch addressing CVE-2025-54722. Check the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/woo-tour/vulnerability/wordpress-wootour-plugin-3-6-3-cross-site-scripting-xss-vulnerability?_s_id=cve for the exact patched version and upgrade instructions. If immediate patching is not feasible, implement compensating controls: configure Web Application Firewall (WAF) rules to detect and block XSS payloads in HTTP parameters (note: may cause false positives on legitimate user input containing HTML-like characters); restrict WooTour plugin access to trusted administrative users only via WordPress role management; educate administrators to avoid clicking unknown links while authenticated (reduces social engineering success but does not eliminate technical risk); enable Content Security Policy (CSP) headers to restrict inline script execution (may break legitimate plugin functionality requiring testing). Until patching is confirmed, monitor WordPress access logs for unusual parameter patterns or JavaScript injection attempts in URLs associated with WooTour endpoints.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today