Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Reflected XSS reachable over the network without authentication but requiring a victim click; payload escapes plugin scope into the browser, yielding limited C/I/A in the user context.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Okay Toolkit <= 2.3 versions.
AnalysisAI
Reflected cross-site scripting in the Okay Toolkit WordPress plugin (versions ≤2.3) allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 7.1 with a scope-changed impact, but no public exploit identified at time of analysis and EPSS data was not provided. Successful exploitation can lead to session hijacking, credential theft, or administrative actions against the targeted WordPress site.
Technical ContextAI
Okay Toolkit is a WordPress plugin published by ArrayHQ (CPE cpe:2.3:a:arrayhq:okay_toolkit) that provides supplementary site-building widgets and blocks. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controllable input is reflected back into rendered HTML without proper output encoding or context-aware escaping. Because the issue is reflected XSS within a WordPress plugin, the malicious payload executes within the security origin of the WordPress site, giving the injected script access to cookies, the DOM, and any logged-in administrative session that loads the crafted URL.
RemediationAI
No vendor-released patch identified at time of analysis in the supplied intelligence; the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/okay-toolkit/vulnerability/wordpress-okay-toolkit-plugin-2-3-reflected-cross-site-scripting-xss-vulnerability) marks affected versions as ≤2.3 without naming a fixed release, so administrators should monitor that advisory and the WordPress plugin repository for a version newer than 2.3 and upgrade immediately when published. Until a fixed release is available, compensating controls include deactivating and removing the Okay Toolkit plugin if it is not business-critical (trade-off: loss of any toolkit-provided blocks and widgets on the site), placing the site behind a WAF or Patchstack mitigation rules that filter reflected XSS payloads targeting the plugin's request parameters (trade-off: rules may produce false positives on legitimate content), and restricting wp-admin access via IP allowlisting or HTTP auth so that administrator sessions cannot be targeted by externally delivered phishing links (trade-off: operational friction for distributed admins). Educating administrators not to click untrusted links while logged in further reduces the UI:R precondition.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210161
GHSA-jgcq-3ch9-q5rw