Cyber Resilience

CVE-2025-68849

High

Published: 22 January 2026

Published
22 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0006 20.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68849 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-68849 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as CWE-79, enabling Reflected Cross-Site Scripting (XSS) in the Quote Master WordPress plugin developed by Frank Corso. This issue affects all versions of the quote-master plugin up to and including 7.1.1, with no specified lower bound. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, and scope change.

Attackers can exploit this vulnerability remotely without authentication by crafting malicious input that is reflected in web page generation, tricking users into interacting via a malicious link or payload (UI:R). Successful exploitation allows limited impacts including low confidentiality (e.g., session token theft), integrity (e.g., script injection), and availability disruptions within the context of the victim's browser, leveraging the changed scope (S:C) for cross-origin effects.

Patchstack advisories document this Reflected XSS vulnerability in Quote Master version 7.1.1 and provide details on the issue via their database entry at https://patchstack.com/database/Wordpress/Plugin/quote-master/vulnerability/wordpress-quote-master-plugin-7-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve. Security practitioners should update to a patched version if available or monitor for vendor remediation guidance.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Frank Corso Quote Master quote-master allows Reflected XSS.This issue affects Quote Master: from n/a through <= 7.1.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Reflected XSS directly enables malicious link delivery for user execution (T1204.001) and client-side script execution for stealing web session cookies (T1539) and browser session hijacking (T1185).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-23699Shared CWE-79
CVE-2025-12551Shared CWE-79
CVE-2024-13862Shared CWE-79
CVE-2026-32545Shared CWE-79
CVE-2025-23485Shared CWE-79
CVE-2025-23495Shared CWE-79
CVE-2025-26991Shared CWE-79
CVE-2025-23626Shared CWE-79
CVE-2026-32528Shared CWE-79
CVE-2025-26565Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and neutralization of all inputs before web page generation, directly blocking the reflected XSS payload in Quote Master.

prevent

Mandates filtering of outputs to remove or encode untrusted script content, preventing reflected XSS from executing in the victim's browser.

preventdetect

Provides malicious code inspection and blocking mechanisms that can identify and stop common XSS script patterns delivered via plugin input.

References