Skip to main content

Auros Core CVE-2025-64637

| EUVDEUVD-2025-210355 MEDIUM
Basic XSS (CWE-80)
2026-06-26 audit@patchstack.com GHSA-p996-m2fp-f68f
5.3
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible, no auth, low complexity; I:L added over NVD because injecting HTML content into a page represents an integrity violation of that rendered output, even if scope-unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:04 vuln.today

DescriptionCVE.org

Unauthenticated Content Injection in Auros Core <= 5.3.1 versions.

AnalysisAI

Unauthenticated content injection in the Auros Core WordPress plugin (versions 5.3.1 and earlier) permits remote attackers to inject script-related HTML tags into rendered page output without any privileges or user interaction. The vulnerability is classified under CWE-80 (Basic XSS) and carries a CVSS 3.1 score of 5.3 (Medium), with impact limited to low confidentiality - consistent with an attacker reading page-context data rather than persistently compromising other users' sessions. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.

Technical ContextAI

Auros Core is a WordPress plugin; the exact functional purpose is not described in available intelligence, but its CPE data was not provided. CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page - Basic XSS) identifies the root cause as failure to strip or encode script-related HTML constructs - such as script, img onerror, or similar tags - from attacker-supplied input before that input is reflected or embedded in HTML responses. The unchanged scope (S:U) in the CVSS vector indicates the injection's impact is bounded within the trust zone of the vulnerable WordPress component itself, rather than crossing into a separate security domain. The UI:N metric is atypical for XSS vulnerabilities that require a victim's browser to trigger the payload; this suggests the injection manifests in the attacker's own HTTP response, consistent with a reflected or parameter-echo scenario rather than a stored XSS that silently executes in another user's session.

RemediationAI

Update the Auros Core WordPress plugin to a version released after 5.3.1. The exact patched version number was not confirmed in the available intelligence - consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/auros-core/vulnerability/wordpress-auros-core-plugin-5-3-1-content-injection-vulnerability for the confirmed fix version before considering remediation complete. If an updated version is not yet available, the most effective compensating control is to deactivate and remove the Auros Core plugin entirely, accepting the loss of its functionality as a trade-off against exposure. As a partial network-layer mitigation, a Web Application Firewall rule targeting script-tag injection patterns (such as angle-bracket sequences containing script keywords) in HTTP request parameters may reduce exploitation opportunity, though this is bypassable and is not a substitute for patching. WordPress site administrators should also ensure that output escaping is enforced globally via a security hardening plugin as a defense-in-depth measure.

Share

CVE-2025-64637 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy