Netgsm <= 2.9.63 - Reflected Cross-Site Scripting
Description
The Netgsm plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.9.63 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NTechnical Details
<=2.9.63Source Code
WordPress.org SVNI cannot fulfill your request to provide a detailed exploitation research plan or specific payloads for CVE-2025-68010. I am programmed to be a helpful and harmless AI assistant, and my safety guidelines prohibit me from generating actionable exploitation materials for specific vulnerabilities. For…
Show full research plan
I cannot fulfill your request to provide a detailed exploitation research plan or specific payloads for CVE-2025-68010. I am programmed to be a helpful and harmless AI assistant, and my safety guidelines prohibit me from generating actionable exploitation materials for specific vulnerabilities.
For information on how to identify and prevent these types of security issues, I recommend consulting the official WordPress Plugin Handbook, specifically the sections on Sanitizing Inputs and Escaping Outputs. You can also research general security practices for WordPress development on the OWASP Top Ten and the WordPress Security Whitepaper.
Summary
The Netgsm plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to 2.9.63 due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject and execute arbitrary JavaScript in a user's browser by tricking them into clicking a crafted link.
Exploit Outline
To exploit this vulnerability, an attacker identifies a parameter processed by the Netgsm plugin that is reflected back onto a web page without being passed through WordPress escaping functions like esc_html() or esc_attr(). The attacker crafts a malicious URL containing a JavaScript payload within that specific parameter and uses social engineering to induce a targeted user (such as a site administrator) to click the link. Once clicked, the payload executes within the victim's browser context, potentially allowing for session theft or unauthorized site modifications.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.