The vulnerability CVE-2025-67991 affects the vanquish User Extra Fields WordPress plugin (versions up to 16.8) and is caused by improper neutralization of input during web page generation, resulting in a reflected Cross-site Scripting (XSS) flaw. This allows an attacker to craft malicious input that, when reflected by the application, executes arbitrary scripts in the victim's browser. The CVSS score is 7.1 (high), with network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and impacts on confidentiality, integrity, and availability rated as low.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of a victim's browser, potentially leading to theft of sensitive information, session hijacking, or other malicious actions impacting confidentiality, integrity, and availability to a limited extent. The reflected XSS nature requires user interaction to trigger the attack. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — no official patch or remediation guidance is currently available from the vendor. Users of the vanquish User Extra Fields plugin should monitor the vendor's advisories for updates and apply any official fixes once released. Until then, consider limiting exposure by restricting access or disabling the plugin if feasible.