Skip to main content

WooTour CVE-2025-54722

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-11-06 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 24, 2026 - 00:45 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 19:20 vuln.today
CVE Published
Nov 06, 2025 - 16:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ex-Themes WooTour woo-tour allows Reflected XSS.This issue affects WooTour: from n/a through <= 3.6.3.

AnalysisAI

Reflected Cross-Site Scripting (XSS) in WooTour plugin for WordPress versions up to 3.6.3 allows remote unauthenticated attackers to execute malicious JavaScript in victim browsers by tricking users into clicking crafted links. The vulnerability stems from improper neutralization of user input during web page generation. EPSS score of 0.08% indicates low likelihood of mass exploitation, and no active exploitation has been reported by CISA KEV at time of analysis.

Technical ContextAI

WooTour is a WordPress plugin by Ex-Themes for tour and travel booking functionality. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic reflected XSS flaw. This occurs when user-supplied input from HTTP request parameters is echoed directly into HTML responses without proper sanitization, encoding, or validation. In WordPress plugin context, this typically affects admin or public-facing pages that process GET/POST parameters and render them in the DOM without using WordPress escaping functions like esc_html(), esc_attr(), or esc_js(). The Scope:Changed metric in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component's security scope, consistent with XSS that can target other WordPress users or sessions.

Affected ProductsAI

The vulnerability affects Ex-Themes WooTour (woo-tour) plugin for WordPress, all versions from the initial release through version 3.6.3 inclusive. This is a commercial WordPress plugin used for tour booking and travel management functionality. The Patchstack database reference confirms the vulnerability applies to WordPress installations with WooTour plugin version 3.6.3 and earlier. No CPE identifiers were provided in the source data. Vendor advisory and patch information can be found at https://patchstack.com/database/Wordpress/Plugin/woo-tour/vulnerability/wordpress-wootour-plugin-3-6-3-cross-site-scripting-xss-vulnerability?_s_id=cve.

RemediationAI

Upgrade WooTour plugin to version 3.6.4 or later if available, or apply vendor-provided security patch addressing CVE-2025-54722. Check the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/woo-tour/vulnerability/wordpress-wootour-plugin-3-6-3-cross-site-scripting-xss-vulnerability?_s_id=cve for the exact patched version and upgrade instructions. If immediate patching is not feasible, implement compensating controls: configure Web Application Firewall (WAF) rules to detect and block XSS payloads in HTTP parameters (note: may cause false positives on legitimate user input containing HTML-like characters); restrict WooTour plugin access to trusted administrative users only via WordPress role management; educate administrators to avoid clicking unknown links while authenticated (reduces social engineering success but does not eliminate technical risk); enable Content Security Policy (CSP) headers to restrict inline script execution (may break legitimate plugin functionality requiring testing). Until patching is confirmed, monitor WordPress access logs for unusual parameter patterns or JavaScript injection attempts in URLs associated with WooTour endpoints.

Share

CVE-2025-54722 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy