CVE-2025-15659
Received Received - Intake
Cross-Site Scripting (XSS) in Elizaibots <= 1.0.2

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: Patchstack

Description
Contributor Cross Site Scripting (XSS) in Elizaibots <= 1.0.2 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2025-15659
EUVD
EUVD-2025-210140
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack elizaibots to 1.0.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross Site Scripting (XSS) issue found in the WordPress Elizaibots plugin versions up to and including 1.0.2.

It allows attackers with contributor-level privileges to inject malicious scripts such as redirects, advertisements, or other HTML payloads that execute when visitors access the affected website.

The vulnerability falls under the OWASP Top 10 category A3: Injection and has a CVSS score of 6.5, indicating a low severity level.

Impact Analysis

If exploited, this vulnerability can allow attackers to execute malicious scripts on your website, potentially leading to unauthorized redirects, unwanted advertisements, or other harmful HTML payloads affecting your visitors.

Because the vulnerability requires contributor-level privileges, an attacker would need some level of access to inject these scripts.

The plugin is abandoned with no official patches available, so the risk remains unless you remove or replace the plugin or apply a virtual patch.

In case of compromise, professional incident response and server-side malware scanning are recommended, as plugin-based malware scanners may not be reliable.

Detection Guidance

The vulnerability affects the WordPress Elizaibots plugin versions up to and including 1.0.2 and requires contributor-level privileges to exploit.

Detection involves identifying if the vulnerable plugin is installed and active on your WordPress site.

Since no official patch is available and the plugin is abandoned, scanning for the presence of the plugin and monitoring for suspicious script injections or unexpected HTML payloads in web traffic can help detect exploitation attempts.

Specific commands are not provided in the resources, but general approaches include:

  • Checking installed WordPress plugins via WP-CLI: `wp plugin list`
  • Searching for the Elizaibots plugin directory in the WordPress installation: `ls wp-content/plugins/elizaibots`
  • Monitoring web server logs for suspicious script injections or unusual HTTP requests.
  • Using server-side malware scanning tools to detect malicious scripts or payloads.
Mitigation Strategies

Immediate mitigation steps include removing and replacing the vulnerable Elizaibots plugin, as no official patch or fixed version is available.

Applying a virtual patch (vPatch) from Patchstack can provide rapid protection against exploitation even without an official fix.

Deactivating the plugin alone does not eliminate the security risk.

In case of suspected compromise, professional incident response and server-side malware scanning are recommended, since plugin-based malware scanners may be unreliable.

Compliance Impact

The provided information does not specify how the Contributor Cross Site Scripting (XSS) vulnerability in Elizaibots affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15659. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart