Skip to main content

SweetDate Core CVE-2025-69140

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-17 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Reflected XSS reachable over the network with no auth (PR:N) but requiring a click (UI:R); scope changes to the victim browser with low C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 14:43 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in SweetDate Core < 1.1.5 versions.

AnalysisAI

Reflected cross-site scripting in the SweetDate Core WordPress plugin versions prior to 1.1.5 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim is lured into clicking a crafted link. The CVSS 3.1 score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C) reflects unauthenticated network reach with required user interaction and a scope change typical of stored/reflected XSS in browser contexts. No public exploit identified at time of analysis and no EPSS or KEV signal was provided.

Technical ContextAI

SweetDate Core is a companion plugin shipped with the SeventhQueen 'SweetDate' WordPress dating theme (CPE cpe:2.3:a:seventhqueen:sweetdate_core), used to provide profile, membership, and dating-site functionality on top of WordPress. The flaw maps to CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controllable input is reflected back into an HTML response without proper output encoding or contextual escaping. Because WordPress plugins typically render parameters inside admin or front-end templates, an attacker can inject script that executes in the browser of any visitor who follows a crafted URL, inheriting that user's WordPress session and DOM context.

RemediationAI

Upgrade the SweetDate Core plugin to version 1.1.5 or later, which Patchstack identifies as the fixed release (https://patchstack.com/database/wordpress/plugin/sweetdate-core/vulnerability/wordpress-sweetdate-core-plugin-1-1-5-reflected-cross-site-scripting-xss-vulnerability). If immediate patching is not possible, place a WAF rule (Patchstack, Wordfence, or equivalent) in front of the site to filter reflected script payloads in query parameters targeting SweetDate Core endpoints - note this can produce false positives on legitimate admin traffic. As a stronger temporary control, deactivate the SweetDate Core plugin until it can be upgraded, accepting the loss of dating-site functionality, and require administrators to log out of WordPress before clicking external links to limit session-theft impact.

Share

CVE-2025-69140 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy