CVE-2025-67960
📋 TL;DR
This is a reflected cross-site scripting (XSS) vulnerability in the WorkScout-Core WordPress plugin that allows attackers to inject malicious scripts into web pages. When exploited, it can enable session hijacking, credential theft, or website defacement. All WordPress sites using WorkScout-Core version 1.7.06 or earlier are affected.
💻 Affected Systems
- WorkScout-Core WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over WordPress sites, install backdoors, or redirect users to malicious sites, potentially leading to complete site compromise and data breaches.
Likely Case
Attackers typically use this to steal user session cookies, perform phishing attacks, or deface websites by injecting malicious content visible to other users.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be neutralized, preventing any exploitation while maintaining normal plugin functionality.
🎯 Exploit Status
Reflected XSS vulnerabilities are commonly exploited and require minimal technical skill. Attackers typically craft malicious URLs containing the payload.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.7.06
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WorkScout-Core plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and remove the plugin, then install the latest version from WordPress repository.
🔧 Temporary Workarounds
Input Validation Web Application Firewall Rule
allConfigure WAF to block requests containing suspicious script patterns in URL parameters
Content Security Policy Implementation
allImplement CSP headers to restrict script execution sources and prevent inline script execution
Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Header set X-Content-Type-Options "nosniff"
🧯 If You Can't Patch
- Disable or remove the WorkScout-Core plugin entirely from WordPress installation
- Implement strict input validation and output encoding at application level for all user inputs
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for WorkScout-Core version. If version is 1.7.06 or earlier, the system is vulnerable.Check Version:
wp plugin list --name=workscout-core --field=versionVerify Fix Applied:
After updating, verify the plugin version shows higher than 1.7.06 in WordPress admin panel. Test the previously vulnerable endpoints with XSS payloads to confirm they're now properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual GET requests with script tags or JavaScript code in URL parameters
- Multiple failed attempts to access plugin-specific endpoints with encoded payloads
- User agents containing script injection patterns
Network Indicators:
- HTTP requests containing <script>, javascript:, or encoded XSS payloads in query strings
- Traffic to plugin-specific endpoints with suspicious parameter values
SIEM Query:
source="web_server_logs" AND (uri="*workscout*" OR uri="*wp-content/plugins/workscout-core*") AND (query="*<script>*" OR query="*javascript:*" OR query="*%3Cscript%3E*")