CVE-2025-69392
Reflected XSS in iMoney β€ 0.36 Enables Script Injection
Publication date: 2026-02-20
Last updated on: 2026-02-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | imoney | From 0.0 (inc) to 0.36 (inc) |
| itex | imoney | to 0.36 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-69392 is a medium priority Cross Site Scripting (XSS) vulnerability affecting the WordPress iMoney Plugin versions up to and including 0.36.
This vulnerability allows an attacker to inject malicious scriptsβsuch as redirects, advertisements, or other HTML payloadsβinto a website, which execute when visitors access the compromised site.
Exploitation requires user interaction by a privileged user, such as clicking a malicious link, visiting a crafted page, or submitting a form.
The vulnerability falls under the OWASP Top 10 category A3: Injection and is classified specifically as Cross Site Scripting (XSS).
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can inject malicious scripts into your website, which may execute when visitors access the site.
- These scripts can perform unwanted actions such as redirecting users to malicious sites.
- Displaying unauthorized advertisements or other harmful HTML payloads.
- Potentially compromising user data or session information if the malicious script is designed to steal such information.
Successful exploitation depends on privileged user interaction, meaning an attacker needs a user with certain privileges to engage with malicious content.
No official patch is currently available, but mitigation rules exist to block attacks targeting this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Reflected Cross Site Scripting (XSS) issue in the iMoney WordPress plugin up to version 0.36. Detection typically involves monitoring for suspicious input or script injection attempts in web requests.
Since no official patch is available, detection can be aided by using web application firewalls or mitigation rules such as those provided by Patchstack to block attack attempts.
Specific commands are not provided in the available resources, but general detection methods include inspecting HTTP request parameters for suspicious script tags or payloads using tools like curl or grep, or scanning logs for unusual URL parameters.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying the Patchstack mitigation rule designed to block attacks targeting this vulnerability until an official patch is released.
Users should implement web application firewall rules or other security controls to prevent malicious script injection and avoid clicking on suspicious links or visiting untrusted pages.
Since no official patch is currently available, relying on these mitigation measures is critical to protect the website from exploitation.