CVE-2025-67553 identifies a DOM-based Cross-site Scripting (XSS) vulnerability in the ThemeHigh Advanced FAQ Manager plugin for WordPress, affecting versions up to 1.5.2. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows malicious scripts to be injected and executed within the context of the victim’s browser. This form of XSS is client-side, occurring when the web application’s JavaScript processes unsafe input without adequate sanitization or encoding. The vulnerability requires an attacker to have at least low privileges (PR:L) and user interaction (UI:R), such as tricking a user into clicking a crafted link or visiting a malicious page. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) indicates network attack vector, low attack complexity, partial privileges, user interaction, scope change, and low impact on confidentiality, integrity, and availability. The scope change (S:C) means the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting the entire web application or user session. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and classified as medium severity. The Advanced FAQ Manager plugin is used to manage frequently asked questions on WordPress sites, often in customer support or informational contexts. Exploitation could lead to session hijacking, data theft, or defacement of web content, undermining user trust and organizational reputation.

For European organizations, this vulnerability poses a risk primarily to those using the ThemeHigh Advanced FAQ Manager plugin on their WordPress sites, especially public-facing portals that handle sensitive user data or provide critical information. Successful exploitation could lead to unauthorized disclosure of user data, session hijacking, or manipulation of displayed content, impacting confidentiality, integrity, and availability. This can result in reputational damage, regulatory non-compliance (e.g., GDPR violations due to data leakage), and potential financial losses. Organizations in sectors such as e-commerce, government, healthcare, and education, which often rely on FAQ plugins for user support, are particularly vulnerable. The requirement for user interaction and low privilege means attackers may target employees or customers with phishing campaigns to trigger the exploit. The scope change in the vulnerability increases the risk that the impact could extend beyond the plugin itself, affecting other parts of the web application or user sessions. Although no known exploits exist yet, the public disclosure increases the risk of future exploitation attempts.

1. Monitor ThemeHigh’s official channels for security patches and apply updates to Advanced FAQ Manager immediately upon release. 2. Implement strict input validation and output encoding on all user-supplied data processed by the plugin, especially in JavaScript contexts, to prevent injection of malicious scripts. 3. Deploy Content Security Policy (CSP) headers to restrict execution of unauthorized scripts and reduce the impact of XSS attacks. 4. Conduct regular security assessments and penetration testing focusing on web application vulnerabilities, including DOM-based XSS. 5. Educate users and employees about phishing and social engineering tactics that could be used to induce user interaction required for exploitation. 6. Use Web Application Firewalls (WAFs) with rules tailored to detect and block XSS attack patterns targeting the plugin. 7. Review and restrict plugin permissions and access controls to minimize privilege levels required for users interacting with the plugin. 8. Monitor web server and application logs for suspicious activity indicative of attempted XSS exploitation.