What the vulnerability does
01Description
The vulnerability allows a remote attacker to inject and execute arbitrary client-side script code inside a victim’s session via a crafted URL or HTTP request.
CVSS base score
5.3/10
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Key dates
02Disclosure timeline
January 10, 2024
CVE published
June 17, 2025
Record updated
External resources
03References
Related vulnerabilities
04Related CVE
CVE-2016-8613
CVE-2023-5051 CallRail Phone Call Tracking <= 0.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE-2024-13380 Alex Reservations: Smart Restaurant Booking <= 2.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE-2025-8317 Custom Word Cloud <= 0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via angle Parameter
CVE-2024-29137 WordPress Tourfic plugin <= 2.11.7 - Reflected Cross Site Scripting (XSS) vulnerability
