CVE-2025-63021
Lifecycle Timeline
2Tags
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codetipi Valenti Engine valenti-engine allows DOM-Based XSS.This issue affects Valenti Engine: from n/a through <= 1.0.3.
Analysis
DOM-based cross-site scripting (XSS) in codetipi Valenti Engine through version 1.0.3 allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects the WordPress plugin and is classified as improper neutralization of input during web page generation. With an EPSS score of 0.01% and no CVSS severity data available, real-world exploitation risk appears minimal, though the attack vector and prerequisites require confirmation from patch analysis.
Technical Context
This vulnerability is a DOM-based XSS flaw (CWE-79) in the Valenti Engine WordPress plugin, a web page generation or template engine component. DOM-based XSS occurs when untrusted user input is processed by client-side JavaScript and inserted into the DOM without proper sanitization or encoding, allowing attackers to execute arbitrary JavaScript in the victim's browser context. The improper neutralization occurs during web page generation, suggesting the plugin constructs dynamic content without adequate output encoding or input validation. The affected product is codetipi's Valenti Engine, distributed as a WordPress plugin, versions up to and including 1.0.3.
Affected Products
codetipi Valenti Engine WordPress plugin versions from an unspecified baseline through version 1.0.3. The plugin is listed in the Patchstack vulnerability database for WordPress plugins, indicating it is distributed via or compatible with the WordPress ecosystem. Further details on affected hosting/deployment contexts and whether the plugin is actively maintained are not specified in the provided data.
Remediation
Users should upgrade to a patched version of Valenti Engine if available from codetipi; however, no specific patched version number is confirmed in the provided data. Check the plugin's official repository or codetipi's website for version 1.0.4 or later. If no patched release is available, consider disabling or removing the plugin pending a security update. Input validation and output encoding should be implemented to prevent DOM-based XSS-specifically, ensure all user-supplied data inserted into the DOM is properly HTML-encoded or uses safe DOM APIs (e.g., textContent instead of innerHTML). See the Patchstack database entry for additional context: https://patchstack.com/database/Wordpress/Plugin/valenti-engine/vulnerability/wordpress-valenti-engine-plugin-1-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today