WordPress Plugin Vulnerabilities

Pathomation <= 2.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Pathomation plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
pathomation
No known fix

References

CVE
CVE-2025-27306
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/85950e4c-59fe-4ad3-8c43-e161259d6ded

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Peter Thaleikis
Verified
No
WPVDB ID
dde72431-9af4-49ea-8c08-ffd51c0e8f3f

Timeline

Publicly Published
2025-02-24 (about 1 year ago)
Added
2025-03-03 (about 1 year ago)
Last Updated
2025-03-03 (about 1 year ago)

Other

Published
Title
Published
2014-09-21
Title
Login Widget With Shortcode 3.1.1 - custom_style_afo Parameter Reflected XSS
Published
2024-09-12
Title
YITH Custom Login < 1.7.4 - Reflected Cross-Site Scripting
Published
2024-06-07
Title
Tooltip CK <= 2.2.15 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2025-05-07
Title
Ultimate Blocks < 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-10-11
Title
Enzy < 1.6.4 - Reflected Cross-Site Scripting