CVE-2025-67984
DOM-Based XSS in calliko NPS computy
Publication date: 2026-02-20
Last updated on: 2026-02-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | nps_computy | to 2.8.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67984 is a medium severity Cross Site Scripting (XSS) vulnerability affecting the WordPress NPS computy Plugin versions up to and including 2.8.2.
It is a DOM-Based XSS vulnerability that allows an attacker to inject malicious scriptsβsuch as redirects, advertisements, or other HTML payloadsβthat execute when site visitors access the compromised website.
Exploitation requires user interaction by a privileged user, such as clicking a malicious link, visiting a crafted page, or submitting a form, although the initial attack vector can be initiated by an unauthenticated user.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can lead to the execution of malicious scripts on your website, which may result in unauthorized redirects, display of unwanted advertisements, or other harmful HTML payloads.'}, {'type': 'paragraph', 'content': "Such exploitation can compromise the security and integrity of your website, potentially harming your users and damaging your site's reputation."}, {'type': 'paragraph', 'content': 'Because the attack requires user interaction, it can be triggered when privileged users interact with crafted content, increasing the risk of further compromise.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a DOM-Based Cross Site Scripting (XSS) issue in the WordPress NPS computy Plugin up to version 2.8.2. Detection typically involves monitoring for suspicious script injections or unusual HTML payloads executed when users visit the site.
While no specific commands are provided in the resources, common detection methods include scanning web application logs for unusual input patterns or using web vulnerability scanners that test for XSS vulnerabilities.
Additionally, monitoring HTTP requests for suspicious query parameters or payloads that could trigger the XSS can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the WordPress NPS computy Plugin to version 2.8.3 or later, where the vulnerability has been patched.
Until the update can be applied, Patchstack provides an automatic mitigation rule that can block attacks targeting this vulnerability.
Using Patchstackβs security services can also provide rapid vulnerability mitigation and ongoing protection for WordPress sites.