Executive Summary

CVE-2025-67991 is a Cross Site Scripting (XSS) vulnerability found in the WordPress User Extra Fields Plugin versions up to and including 16.8.

This vulnerability allows an attacker to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, into a website. These scripts execute when visitors access the affected site.

Exploitation does not require authentication to initiate but does require interaction by a privileged user, such as clicking a malicious link, visiting a crafted page, or submitting a form.

The vulnerability is categorized under OWASP Top 10 A3: Injection and has a CVSS score of 7.1, indicating medium severity.

The issue was reported by Phat RiO on November 23, 2025, and patched in version 16.9 of the plugin.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts on your website, which can lead to unauthorized redirects, display of unwanted advertisements, or execution of harmful HTML payloads.

Such attacks can compromise the integrity and trustworthiness of your website, potentially harming your users and damaging your reputation.

Since exploitation requires interaction by a privileged user, attackers might trick administrators or other privileged users into triggering the malicious scripts.

If unmitigated, this vulnerability could be exploited to perform further attacks or gain unauthorized access to sensitive information.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'The vulnerability affects WordPress User Extra Fields Plugin versions up to and including 16.8 and allows Cross Site Scripting (XSS) attacks via malicious script injection.'}, {'type': 'paragraph', 'content': 'Detection can involve checking the installed plugin version to see if it is 16.8 or earlier, which is vulnerable.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves reflected XSS, monitoring web traffic for suspicious script injections or unusual URL parameters that trigger script execution can help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'Specific commands to detect the vulnerable plugin version include using WP-CLI or checking plugin files directly, for example:'}, {'type': 'list_item', 'content': "wp plugin list | grep 'user-extra-fields' # To check installed plugin and version"}, {'type': 'list_item', 'content': "grep 'Version' wp-content/plugins/wp-user-extra-fields/readme.txt # To verify plugin version"}, {'type': 'paragraph', 'content': 'Additionally, web application firewalls or security tools with Patchstack mitigation rules can help detect and block exploitation attempts automatically.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary and most effective mitigation step is to update the WordPress User Extra Fields Plugin to version 16.9 or later, where the vulnerability is patched.

Until the update can be applied, it is recommended to use Patchstack mitigation rules which can automatically block attacks exploiting this vulnerability.

Other general mitigation steps include limiting privileged user interactions with untrusted content and monitoring for suspicious activity related to script injections.

Useful 0 Not Useful 0