CVE-2025-67025 – A Cross-Site Scripting (XSS) vulnerability in A... (How to Fix)

Q: What is the severity of CVE-2025-67025?

CVE-2025-67025 has a CVSS score of 6.1 (MEDIUM). A Cross-Site Scripting (XSS) vulnerability in AnyComment 0.4.4 allows remote attackers to inject malicious scripts into comment sections. This affects websites running the vulnerable AnyComment plugin, potentially compromising user sessions and data.

📋 TL;DR

A Cross-Site Scripting (XSS) vulnerability in AnyComment 0.4.4 allows remote attackers to inject malicious scripts into comment sections. This affects websites running the vulnerable AnyComment plugin, potentially compromising user sessions and data.

💻 Affected Systems

Products:

AnyComment (anycomment.io)

Versions: 0.4.4

Operating Systems: All platforms running the vulnerable plugin

Default Config Vulnerable: ⚠️ Yes

Notes: Affects WordPress or other CMS installations using the AnyComment plugin version 0.4.4.

📦 What is this software?

Anycomment.io by Anycomment

View all CVEs affecting Anycomment.io →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal user session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users.

🟠

Likely Case

Session hijacking, credential theft, or defacement of comment sections with malicious content.

🟢

If Mitigated

Limited impact if input validation and output encoding are properly implemented elsewhere.

🌐 Internet-Facing: HIGH - Public comment sections are directly accessible to attackers.

🏢 Internal Only: LOW - Primarily affects public-facing comment features.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities typically require minimal technical skill to exploit via crafted comments.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor changelog for versions after 0.4.4

Vendor Advisory: https://anycomment.io/site/changelog

Restart Required: No

Instructions:

1. Check current AnyComment version. 2. Update to the latest version via plugin management interface. 3. Verify update completes successfully.

🔧 Temporary Workarounds

Disable comment section

all

Temporarily disable the AnyComment comment functionality until patched.

Navigate to WordPress admin > Plugins > AnyComment > Deactivate

Implement WAF rules

all

Configure Web Application Firewall to block XSS payloads in comment inputs.

Add WAF rule: Detect and block scripts in POST parameters to comment endpoints

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to limit script execution.
Enable input validation and output encoding at the application layer for all user inputs.

🔍 How to Verify

Check if Vulnerable:

Check the installed AnyComment plugin version in your CMS plugin management interface.

Check Version:

In WordPress: wp plugin list | grep anycomment

Verify Fix Applied:

Confirm the plugin version is updated beyond 0.4.4 and test comment functionality for script injection.

📡 Detection & Monitoring

Log Indicators:

Unusual comment submissions containing script tags or JavaScript code
Multiple failed comment attempts with encoded payloads

Network Indicators:

HTTP POST requests to comment endpoints with suspicious parameters
Outbound connections to external domains from comment pages

SIEM Query:

source="web_logs" AND (url_path="/wp-comments-post.php" OR url_path LIKE "%/comment%") AND (request_body LIKE "%<script>%" OR request_body LIKE "%javascript:%")

📊 Metadata

CVE ID: CVE-2025-67025

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.06% exploit probability (18.7th percentile)

Published: January 15, 2026

Last Updated: January 30, 2026

🔗 References

https://anycomment.io/site/changelog Release Notes
https://bdu.fstec.ru/vul/2023-08900 Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67025, you might also want to check these: