CVE-2025-68858
Published: 22 January 2026
Summary
CVE-2025-68858 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-68858 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the wpCAS WordPress plugin developed by Casey Bisson. This issue affects all versions of wpCAS from n/a through 1.07, allowing malicious input to be reflected without proper sanitization during web page generation.
The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low attack complexity, no required privileges, but user interaction such as clicking a malicious link. Attackers can trick authenticated or unauthenticated users into executing arbitrary JavaScript in their browsers, potentially leading to low-impact confidentiality, integrity, and availability effects with a changed scope, such as session hijacking or data theft from the victim's context.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/wpcas/vulnerability/wordpress-wpcas-plugin-1-0-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the Reflected XSS flaw specifically in wpCAS version 1.0.7, recommending updates or mitigations as per their database entry for affected WordPress installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3996
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Casey Bisson wpCAS wpcas allows Reflected XSS.This issue affects wpCAS: from n/a through <= 1.07.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of web apps (T1190) and facilitates browser session hijacking via injected scripts (T1185).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of all web inputs before page generation, directly blocking the unsanitized reflected input that enables CVE-2025-68858.
Mandates output filtering/encoding of dynamically generated web content, neutralizing script payloads that would otherwise be reflected to victims.
Deploys malicious-code detection mechanisms that can identify and block common XSS payloads at the boundary or within the web application.