CVE-2025-47598
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-09

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in click5 History Log by click5 history-log-by-click5 allows Stored XSS.This issue affects History Log by click5: from n/a through <= 1.0.13.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-09
Last Modified
2026-04-23
Generated
2026-05-07
AI Q&A
2025-06-09
EPSS Evaluated
2026-05-05
NVD
CVE-2025-47598
EUVD
EUVD-2025-17521
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a Stored Cross-Site Scripting (XSS) flaw in the WordPress plugin 'History Log by click5' up to version 1.0.13. It allows attackers to inject malicious scripts into web pages generated by the plugin. When visitors access the affected website, these scripts can execute unauthorized actions such as redirects, displaying unwanted advertisements, or other harmful HTML payloads. The vulnerability requires only subscriber-level privileges to exploit and falls under the OWASP Top 10 category A3: Injection. [1]


How can this vulnerability impact me? :

The impact of this vulnerability includes unauthorized script execution on your website, which can lead to compromised site visitors through malicious redirects, unwanted advertisements, or other harmful actions. It can also result in a partial compromise of confidentiality, integrity, and availability of your site as indicated by the CVSS score. Since the plugin is abandoned and no official fix is available, the risk remains unless a virtual patch is applied or the plugin is replaced. If your site is compromised, professional incident response and server-side malware scanning are recommended. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection involves monitoring for suspicious script injections or unexpected HTML payloads in the History Log by click5 plugin outputs. Since the vulnerability allows stored XSS via subscriber-level privileges, checking for unusual script tags or redirects in the plugin's data is key. Professional incident response and server-side malware scanning are recommended to identify potential compromises. Specific commands are not provided in the resources. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include applying the virtual patch (vPatch) provided by Patchstack to block attacks until an official fix is available. Alternatively, replacing or removing the vulnerable plugin is advised due to its abandonment and lack of updates. Deactivating the plugin alone is insufficient to remove the security risk. Professional incident response and server-side malware scanning are also recommended if compromise is suspected. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart