What the vulnerability does
01Description
The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.
CVSS base score
6.8/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
Key dates
02Disclosure timeline
April 23, 2025
CVE published
June 10, 2025
Record updated
External resources
03References
Related vulnerabilities
04Related CVE
CVE-2024-12443 CRM Perks – WordPress HelpDesk Integration – Zendesk, Freshdesk, HelpScout <= 1.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2020-6159
CVE-2025-23079 XSSes in Extension:ArticleFeedbackv5
CVE-2019-7004 Avaya IP Office XSS Vulnerability
CVE-2025-24892 OpenProject stored HTML injection vulnerability
