CVE-2025-63035 – This DOM-based XSS vulnerability in the WPLMS W... (How to Fix)

📋 TL;DR

This DOM-based XSS vulnerability in the WPLMS WordPress plugin allows attackers to inject malicious scripts into web pages viewed by other users. It affects all WordPress sites using WPLMS plugin versions up to and including 1.9.9.5.4. Attackers can steal session cookies, redirect users, or perform actions on their behalf.

💻 Affected Systems

Products:

VibeThemes WPLMS WordPress Plugin

Versions: All versions through 1.9.9.5.4

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with WPLMS plugin enabled

📦 What is this software?

Wordpress Learning Management System by Vibethemes

View all CVEs affecting Wordpress Learning Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, data theft, or malware distribution to all site visitors

🟠

Likely Case

Session hijacking, credential theft, or defacement of vulnerable pages

🟢

If Mitigated

Limited impact with proper CSP headers and user awareness training

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

DOM-based XSS typically requires user interaction but can be automated

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.9.9.5.4

Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/wplms_plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-4-cross-site-scripting-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find WPLMS plugin
4. Click 'Update Now' if available
5. If no update available, deactivate and remove plugin

🔧 Temporary Workarounds

Content Security Policy

all

Implement CSP headers to restrict script execution

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or use WordPress security plugins to configure CSP

Input Sanitization

all

Add custom input validation for WPLMS forms

Add to theme functions.php: add_filter('wplms_input', 'esc_html');

🧯 If You Can't Patch

Disable or remove the WPLMS plugin immediately
Implement web application firewall with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → WPLMS version. If version is 1.9.9.5.4 or lower, you are vulnerable.

Check Version:

wp plugin list --name=wplms --field=version (WP-CLI) or check WordPress admin plugins page

Verify Fix Applied:

After update, verify WPLMS version is higher than 1.9.9.5.4 in WordPress plugins page.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to WPLMS endpoints
JavaScript payloads in URL parameters or form submissions

Network Indicators:

Script tags in HTTP requests to WPLMS endpoints
Unusual redirects from WPLMS pages

SIEM Query:

source="web_logs" AND (uri="*wplms*" AND (method="POST" OR method="GET") AND (content="*<script>*" OR content="*javascript:*"))

📊 Metadata

CVE ID: CVE-2025-63035

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

EPSS Score: 0.04% exploit probability (11.5th percentile)

Published: December 9, 2025

Last Updated: January 30, 2026

🔗 References

https://patchstack.com/database/Wordpress/Plugin/wplms_plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-4-cross-site-scripting-xss-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63035, you might also want to check these: