CVE-2025-68878
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in prasadkirpekar Advanced Custom CSS advanced-custom-css allows Reflected XSS.This issue affects Advanced Custom CSS: from n/a through <= 1.1.0.
Analysis
Reflected cross-site scripting (XSS) in Advanced Custom CSS WordPress plugin versions through 1.1.0 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to steal session tokens, credentials, or perform actions on behalf of victims through crafted URLs. No public exploit code or active exploitation has been confirmed at the time of analysis, though the low EPSS score (0.04th percentile) suggests limited real-world exploitation risk despite the straightforward attack vector.
Technical Context
This vulnerability is a classic reflected XSS flaw (CWE-79) in a WordPress plugin that processes user-supplied input without proper sanitization or encoding before rendering it in HTML responses. The Advanced Custom CSS plugin allows site administrators and users to apply custom CSS styles; the vulnerability likely exists in a parameter or endpoint that accepts user input and reflects it back in the page without escaping special characters. Reflected XSS attacks differ from stored XSS in that the malicious payload must be delivered via a crafted link rather than persisted in a database. WordPress plugins processing CSS or styling parameters are common targets because developers may overlook XSS vectors in style-related functionality, assuming CSS input is 'safe' when it is passed through URLs or form fields.
Affected Products
Advanced Custom CSS WordPress plugin (developed by prasadkirpekar) from version n/a through version 1.1.0 is affected. The plugin is distributed via the WordPress plugin repository. Affected installations include any WordPress site using Advanced Custom CSS with version 1.1.0 or earlier. For technical details and confirmation, refer to the Patchstack vulnerability database entry: https://patchstack.com/database/Wordpress/Plugin/advanced-custom-css/vulnerability/wordpress-advanced-custom-css-plugin-1-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
Remediation
Upgrade Advanced Custom CSS to a version later than 1.1.0; consult the plugin's update mechanism within WordPress or the official plugin repository for the latest patched release. If an immediate update is not available or the plugin has been abandoned, disable the plugin and remove it from the WordPress installation, or switch to an alternative CSS customization plugin. Site administrators should verify that any custom CSS rules are migrated to a safer alternative (such as the WordPress Customizer's Additional CSS feature or a maintained plugin) before removing Advanced Custom CSS. Review the Patchstack vulnerability page (https://patchstack.com/database/Wordpress/Plugin/advanced-custom-css/vulnerability/wordpress-advanced-custom-css-plugin-1-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) for plugin authors' recommended remediation and any interim patches.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today