CVE-2025-68847
Reflected XSS in iSape β€ 0.72 Enables Web Injection
Publication date: 2026-02-20
Last updated on: 2026-02-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | isape | to 0.72 (inc) |
| itex | isape | to 0.72 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68847 is a medium priority Cross Site Scripting (XSS) vulnerability affecting the WordPress iSape Plugin versions up to and including 0.72.
This vulnerability allows an attacker to inject malicious scriptsβsuch as redirects, advertisements, or other HTML payloadsβinto a website, which execute when visitors access the compromised site.
It is classified under the OWASP Top 10 category A3: Injection.
Exploitation requires user interaction by a privileged user, such as clicking a malicious link, visiting a crafted page, or submitting a form, although no authentication is required to initiate the attack.
No official patch is currently available, but a mitigation rule has been issued to block attacks targeting this vulnerability.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts on your website.
- Attackers can inject redirects that send visitors to malicious or unintended sites.
- Attackers can display unwanted advertisements or other harmful HTML content.
- Visitors to your site may be exposed to these malicious payloads, potentially compromising their security.
Because exploitation requires user interaction, users with privileged access might be tricked into triggering the attack.
Until an official patch is released, your site remains vulnerable unless mitigation rules are applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific information provided about commands or methods to detect this vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
No official patch is currently available for this vulnerability.
Patchstack has issued a mitigation rule to block attacks targeting this vulnerability.
Users are advised to apply this mitigation immediately to protect their websites.