CVE-2025-59467
Cross-Site Scripting in UCRM AFIP Plugin Enables Privilege Escalation
Publication date: 2026-01-05
Last updated on: 2026-02-05
Assigner: HackerOne
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ucrm | argentina_afip_invoices_plugin | to 1.3.0 (exc) |
| ui | argentina_afip_invoices | to 1.3.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Scripting (XSS) issue in the UCRM Argentina AFIP invoices Plugin version 1.2.0 and earlier. It could allow an attacker to escalate privileges if an Administrator is tricked into visiting a specially crafted malicious page. The plugin is disabled by default.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker to escalate their privileges by tricking an Administrator into visiting a malicious page. This could lead to unauthorized access or control over the affected system, potentially compromising confidentiality, integrity, and availability.
What immediate steps should I take to mitigate this vulnerability?
Update the UCRM Argentina AFIP invoices Plugin to Version 1.3.0 or later. Also, note that the plugin is disabled by default, so ensure it remains disabled if not in use.