SweetDate Core
CVE-2025-69140
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Reflected XSS reachable over the network with no auth (PR:N) but requiring a click (UI:R); scope changes to the victim browser with low C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in SweetDate Core < 1.1.5 versions.
AnalysisAI
Reflected cross-site scripting in the SweetDate Core WordPress plugin versions prior to 1.1.5 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim is lured into clicking a crafted link. The CVSS 3.1 score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C) reflects unauthenticated network reach with required user interaction and a scope change typical of stored/reflected XSS in browser contexts. No public exploit identified at time of analysis and no EPSS or KEV signal was provided.
Technical ContextAI
SweetDate Core is a companion plugin shipped with the SeventhQueen 'SweetDate' WordPress dating theme (CPE cpe:2.3:a:seventhqueen:sweetdate_core), used to provide profile, membership, and dating-site functionality on top of WordPress. The flaw maps to CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controllable input is reflected back into an HTML response without proper output encoding or contextual escaping. Because WordPress plugins typically render parameters inside admin or front-end templates, an attacker can inject script that executes in the browser of any visitor who follows a crafted URL, inheriting that user's WordPress session and DOM context.
RemediationAI
Upgrade the SweetDate Core plugin to version 1.1.5 or later, which Patchstack identifies as the fixed release (https://patchstack.com/database/wordpress/plugin/sweetdate-core/vulnerability/wordpress-sweetdate-core-plugin-1-1-5-reflected-cross-site-scripting-xss-vulnerability). If immediate patching is not possible, place a WAF rule (Patchstack, Wordfence, or equivalent) in front of the site to filter reflected script payloads in query parameters targeting SweetDate Core endpoints - note this can produce false positives on legitimate admin traffic. As a stronger temporary control, deactivate the SweetDate Core plugin until it can be upgraded, accepting the loss of dating-site functionality, and require administrators to log out of WordPress before clicking external links to limit session-theft impact.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today