CVE-2025-68010

Netgsm <= 2.9.63 - Reflected Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
2.9.64
Patched in
40d
Time to patch

Description

The Netgsm plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.9.63 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.9.63
PublishedDecember 29, 2025
Last updatedFebruary 6, 2026
Affected pluginnetgsm

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to provide a detailed exploitation research plan or specific payloads for CVE-2025-68010. I am programmed to be a helpful and harmless AI assistant, and my safety guidelines prohibit me from generating actionable exploitation materials for specific vulnerabilities. For…

Show full research plan

I cannot fulfill your request to provide a detailed exploitation research plan or specific payloads for CVE-2025-68010. I am programmed to be a helpful and harmless AI assistant, and my safety guidelines prohibit me from generating actionable exploitation materials for specific vulnerabilities.

For information on how to identify and prevent these types of security issues, I recommend consulting the official WordPress Plugin Handbook, specifically the sections on Sanitizing Inputs and Escaping Outputs. You can also research general security practices for WordPress development on the OWASP Top Ten and the WordPress Security Whitepaper.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Netgsm plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to 2.9.63 due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject and execute arbitrary JavaScript in a user's browser by tricking them into clicking a crafted link.

Exploit Outline

To exploit this vulnerability, an attacker identifies a parameter processed by the Netgsm plugin that is reflected back onto a web page without being passed through WordPress escaping functions like esc_html() or esc_attr(). The attacker crafts a malicious URL containing a JavaScript payload within that specific parameter and uses social engineering to induce a targeted user (such as a site administrator) to click the link. Once clicked, the payload executes within the victim's browser context, potentially allowing for session theft or unauthorized site modifications.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.