CVE-2025-66094

2025-12-30 [email protected]
XSS Information Disclosure

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 30, 2025 - 17:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dmccan Yada Wiki yada-wiki allows Stored XSS.This issue affects Yada Wiki: from n/a through <= 3.5.

AnalysisAI

Stored cross-site scripting (XSS) in Yada Wiki WordPress plugin through version 3.5 allows authenticated users to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability stems from improper input sanitization during web page generation, enabling persistent XSS attacks that could compromise site integrity, steal credentials, or perform actions on behalf of administrators. EPSS exploitation probability is very low at 0.04%, but the stored nature of the vulnerability means injected payloads persist across sessions.

Technical ContextAI

Yada Wiki is a WordPress plugin (CPE: wp:yada-wiki) that provides wiki functionality within WordPress sites. The vulnerability represents a CWE-79 Improper Neutralization of Input During Web Page Generation defect, which occurs when user-supplied data is rendered into HTML output without proper escaping or validation. In this case, the plugin fails to adequately sanitize or escape user inputs before storing them in the database and subsequently rendering them in web pages, allowing attackers to inject arbitrary HTML and JavaScript that will execute in the context of other users' browsers.

Affected ProductsAI

Yada Wiki (dmccan) WordPress plugin versions up to and including 3.5. The plugin is distributed through the WordPress plugin repository. The vulnerability affects all installations of Yada Wiki through version 3.5; no explicit lower version bound was defined in the advisory, suggesting all versions up to 3.5 are potentially vulnerable.

RemediationAI

Update Yada Wiki plugin to a patched version newer than 3.5 immediately. Access the WordPress admin dashboard, navigate to Plugins, and use the built-in update functionality to upgrade to the latest available version. If an automatic update is not offered, check the official Yada Wiki plugin page on wordpress.org or the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/yada-wiki/vulnerability/wordpress-yada-wiki-plugin-3-5-cross-site-scripting-xss-vulnerability for the specific patched release version. As a temporary mitigation pending patching, disable the Yada Wiki plugin if not actively required and restrict wiki page editing to highly trusted users only.

Share

CVE-2025-66094 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy