CVE-2025-52735
📋 TL;DR
This reflected cross-site scripting (XSS) vulnerability in the NextMove Lite WordPress plugin allows attackers to inject malicious scripts into thank-you pages. Attackers can steal user session cookies, redirect users to malicious sites, or perform actions on behalf of users. WordPress sites using vulnerable versions of the NextMove Lite plugin are affected.
💻 Affected Systems
- XLPlugins NextMove Lite (woo-thank-you-page-nextmove-lite)
📦 What is this software?
Nextmove by Xlplugins
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full administrative access to the WordPress site, install backdoors, deface the site, or steal customer data.
Likely Case
Attackers steal user session cookies from customers completing purchases, potentially accessing their accounts or performing unauthorized actions.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing any impact.
🎯 Exploit Status
Exploitation requires tricking users into clicking specially crafted links. The vulnerability is in the thank-you page generation where user input isn't properly sanitized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.22.0 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'NextMove Lite - Thank You Page for WooCommerce'. 4. Click 'Update Now' if available. 5. If no update appears, download version 2.22.0+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
WordPressTemporarily disable the NextMove Lite plugin until patched
wp plugin deactivate woo-thank-you-page-nextmove-lite
Implement WAF rules
allConfigure web application firewall to block XSS patterns in thank-you page parameters
🧯 If You Can't Patch
- Disable the NextMove Lite plugin entirely
- Implement strict Content Security Policy (CSP) headers to mitigate script execution
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for 'NextMove Lite' version 2.21.0 or earlierCheck Version:
wp plugin get woo-thank-you-page-nextmove-lite --field=versionVerify Fix Applied:
Verify plugin version is 2.22.0 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual GET/POST requests to thank-you pages with script tags or JavaScript in parameters
- Multiple failed XSS attempts in web server logs
Network Indicators:
- HTTP requests containing <script> tags or JavaScript in URL parameters to thank-you pages
- Unusual redirects from thank-you pages
SIEM Query:
source="web_server_logs" AND (uri_path="*thank-you*" OR uri_path="*order-received*") AND (query="*<script>*" OR query="*javascript:*" OR query="*onload=*" OR query="*onerror=*")