CVE-2025-5010 MEDIUM

CVE-2025-5010: moonlightL hexo-boot Blog Backend index.html cross site scripting

Vendor Moonlightl

Product hexo-boot

Weakness CWE-79 · XSS

Published May 20, 2025

Last update May 21, 2025

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A vulnerability classified as problematic has been found in moonlightL hexo-boot 4.3.0. This affects an unknown part of the file /admin/home/index.html of the component Blog Backend. The manipulation of the argument Description leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Key dates

02Disclosure timeline

May 20, 2025 CVE published

May 21, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-5010 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-27991 WordPress SupportCandy plugin <= 3.2.3 - Cross Site Scripting (XSS) vulnerability CVE-2025-69089 WordPress Auto Listings plugin <= 2.7.1 - Cross Site Scripting (XSS) vulnerability CVE-2025-1114 newbee-mall Add Category Page save cross site scripting CVE-2025-14119 App Landing Template Blocks for WPBakery Page Builder <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes CVE-2026-7650 E2Pdf – Export Pdf Tool for WordPress <= 1.32.17 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute