Skip to main content

Okay Toolkit EUVDEUVD-2025-210161

| CVE-2025-68851 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-jgcq-3ch9-q5rw
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Reflected XSS reachable over the network without authentication but requiring a victim click; payload escapes plugin scope into the browser, yielding limited C/I/A in the user context.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:43 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Okay Toolkit <= 2.3 versions.

AnalysisAI

Reflected cross-site scripting in the Okay Toolkit WordPress plugin (versions ≤2.3) allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 7.1 with a scope-changed impact, but no public exploit identified at time of analysis and EPSS data was not provided. Successful exploitation can lead to session hijacking, credential theft, or administrative actions against the targeted WordPress site.

Technical ContextAI

Okay Toolkit is a WordPress plugin published by ArrayHQ (CPE cpe:2.3:a:arrayhq:okay_toolkit) that provides supplementary site-building widgets and blocks. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controllable input is reflected back into rendered HTML without proper output encoding or context-aware escaping. Because the issue is reflected XSS within a WordPress plugin, the malicious payload executes within the security origin of the WordPress site, giving the injected script access to cookies, the DOM, and any logged-in administrative session that loads the crafted URL.

RemediationAI

No vendor-released patch identified at time of analysis in the supplied intelligence; the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/okay-toolkit/vulnerability/wordpress-okay-toolkit-plugin-2-3-reflected-cross-site-scripting-xss-vulnerability) marks affected versions as ≤2.3 without naming a fixed release, so administrators should monitor that advisory and the WordPress plugin repository for a version newer than 2.3 and upgrade immediately when published. Until a fixed release is available, compensating controls include deactivating and removing the Okay Toolkit plugin if it is not business-critical (trade-off: loss of any toolkit-provided blocks and widgets on the site), placing the site behind a WAF or Patchstack mitigation rules that filter reflected XSS payloads targeting the plugin's request parameters (trade-off: rules may produce false positives on legitimate content), and restricting wp-admin access via IP allowlisting or HTTP auth so that administrator sessions cannot be targeted by externally delivered phishing links (trade-off: operational friction for distributed admins). Educating administrators not to click untrusted links while logged in further reduces the UI:R precondition.

Share

EUVD-2025-210161 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy