CVE-2025-67960
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-22

Last updated on: 2026-01-29

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes WorkScout-Core workscout-core allows Reflected XSS.This issue affects WorkScout-Core: from n/a through <= 1.7.06.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-01-29
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67960
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
purethemes workscout-core From 1.0 (inc) to 1.7.06 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-67960 is a medium severity Cross Site Scripting (XSS) vulnerability in the WordPress WorkScout-Core Plugin up to version 1.7.06. It allows an unauthenticated attacker to inject malicious scripts into a website, which execute when visitors access the compromised site. These scripts can perform actions like redirects, displaying advertisements, or other harmful HTML payloads. Exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page. [1]

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts on your website, potentially leading to unauthorized redirects, displaying unwanted advertisements, or other harmful actions that compromise user experience and security. It can also damage your website's reputation and trustworthiness. Attackers do not need to be authenticated but require user interaction to exploit the vulnerability. [1]

Detection Guidance

Detection of this Cross Site Scripting (XSS) vulnerability can be done by scanning the website for reflected XSS payloads, especially targeting the WorkScout-Core plugin versions up to 1.7.06. While specific commands are not provided, using web vulnerability scanners that test for reflected XSS, such as OWASP ZAP or Burp Suite, can help identify the issue. Additionally, monitoring for unusual script injections or unexpected redirects in HTTP responses may indicate exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to update the WorkScout-Core plugin to version 1.7.07 or later, where the vulnerability is fixed. Until the update can be applied, users can use Patchstack's mitigation rules to block attacks targeting this vulnerability. Employing automatic updates and vulnerability mitigation services provided by Patchstack can also help protect affected websites. [1]

Compliance Impact

The provided resources do not specify how this Cross Site Scripting (XSS) vulnerability in WorkScout-Core affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67960. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart