CVE-2025-63057
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Roxnor Wp Ultimate Review wp-ultimate-review allows DOM-Based XSS.This issue affects Wp Ultimate Review: from n/a through <= 2.3.7.
Analysis
DOM-based cross-site scripting in WordPress plugin WP Ultimate Review versions ≤2.3.7 allows remote attackers to execute malicious JavaScript in victims' browsers via crafted input that is improperly sanitized during client-side page rendering. The vulnerability requires user interaction (CVSS UI:R) but no authentication (PR:N), enabling attacks via social engineering or malicious links. Exploitation probability is low (EPSS 0.04%, 14th percentile), with no public exploit identified at time of analysis and no confirmed active exploitation (not in CISA KEV).
Technical Context
This is a DOM-based XSS vulnerability (CWE-79) in the WP Ultimate Review WordPress plugin by Roxnor, affecting all versions through 2.3.7. DOM-based XSS occurs when client-side JavaScript code processes untrusted data and dynamically writes it to the Document Object Model without proper sanitization. Unlike reflected or stored XSS where the payload executes during server-side HTML generation, DOM-based XSS manifests entirely in the browser through vulnerable JavaScript functions (e.g., innerHTML, document.write, eval). The plugin likely accepts user-controllable input through URL parameters, fragments, or form fields that JavaScript code then inserts into the page DOM without encoding or validation. The vulnerability was reported by Patchstack's security research team ([email protected]), indicating discovery through third-party security audit rather than vendor disclosure.
Affected Products
WordPress plugin WP Ultimate Review by Roxnor, all versions from earliest release through version 2.3.7 inclusive. The vulnerability report does not specify a lower version bound (indicated as 'n/a' in source data), suggesting all historical versions contain the flaw. Affected installations include any WordPress site with this plugin active, regardless of WordPress core version. The Patchstack database entry (reference: https://patchstack.com/database/Wordpress/Plugin/wp-ultimate-review/vulnerability/wordpress-wp-ultimate-review-plugin-2-3-6-cross-site-scripting-xss-vulnerability?_s_id=cve) provides additional vulnerability details, though the reference URL mentions version 2.3.6 specifically while the CVE scope extends through 2.3.7.
Remediation
Upgrade WP Ultimate Review plugin to the latest patched version immediately. While the provided data does not specify an exact fixed release version number, the vulnerability scope indicates versions through 2.3.7 are affected, implying version 2.3.8 or higher should contain the fix. Site administrators should log into WordPress admin dashboard, navigate to Plugins, check for available updates to WP Ultimate Review, and apply the update. Before updating production sites, test the new version in staging environments to ensure compatibility. If immediate patching is not feasible, implement temporary mitigations: disable the WP Ultimate Review plugin until patching is complete, restrict plugin usage to trusted administrators only, implement Content Security Policy (CSP) headers to mitigate XSS impact (e.g., script-src 'self'), and educate users about not clicking untrusted links that could trigger DOM-based payload execution. Consult the official Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-ultimate-review/ for vendor-specific remediation guidance and confirmation of fixed version numbers.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today