Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Network-accessible, no auth, low complexity; I:L added over NVD because injecting HTML content into a page represents an integrity violation of that rendered output, even if scope-unchanged.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Content Injection in Auros Core <= 5.3.1 versions.
AnalysisAI
Unauthenticated content injection in the Auros Core WordPress plugin (versions 5.3.1 and earlier) permits remote attackers to inject script-related HTML tags into rendered page output without any privileges or user interaction. The vulnerability is classified under CWE-80 (Basic XSS) and carries a CVSS 3.1 score of 5.3 (Medium), with impact limited to low confidentiality - consistent with an attacker reading page-context data rather than persistently compromising other users' sessions. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.
Technical ContextAI
Auros Core is a WordPress plugin; the exact functional purpose is not described in available intelligence, but its CPE data was not provided. CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page - Basic XSS) identifies the root cause as failure to strip or encode script-related HTML constructs - such as script, img onerror, or similar tags - from attacker-supplied input before that input is reflected or embedded in HTML responses. The unchanged scope (S:U) in the CVSS vector indicates the injection's impact is bounded within the trust zone of the vulnerable WordPress component itself, rather than crossing into a separate security domain. The UI:N metric is atypical for XSS vulnerabilities that require a victim's browser to trigger the payload; this suggests the injection manifests in the attacker's own HTTP response, consistent with a reflected or parameter-echo scenario rather than a stored XSS that silently executes in another user's session.
RemediationAI
Update the Auros Core WordPress plugin to a version released after 5.3.1. The exact patched version number was not confirmed in the available intelligence - consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/auros-core/vulnerability/wordpress-auros-core-plugin-5-3-1-content-injection-vulnerability for the confirmed fix version before considering remediation complete. If an updated version is not yet available, the most effective compensating control is to deactivate and remove the Auros Core plugin entirely, accepting the loss of its functionality as a trade-off against exposure. As a partial network-layer mitigation, a Web Application Firewall rule targeting script-tag injection patterns (such as angle-bracket sequences containing script keywords) in HTTP request parameters may reduce exploitation opportunity, though this is bypassable and is not a substitute for patching. WordPress site administrators should also ensure that output escaping is enforced globally via a security hardening plugin as a defense-in-depth measure.
Same weakness CWE-80 – Basic XSS
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210355
GHSA-p996-m2fp-f68f