CVE-2025-67984 Overview
CVE-2025-67984 is a DOM-Based Cross-Site Scripting (XSS) vulnerability affecting the NPS Computy WordPress plugin developed by calliko. This vulnerability allows attackers to inject malicious scripts through improper neutralization of user input during web page generation. The flaw exists in versions up to and including 2.8.2 of the plugin.
Critical Impact
Attackers can execute arbitrary JavaScript in victim browsers, potentially stealing session cookies, redirecting users to malicious sites, or performing actions on behalf of authenticated users within the WordPress admin panel.
Affected Products
- NPS Computy WordPress Plugin versions through <= 2.8.2
- WordPress installations utilizing the vulnerable nps-computy plugin
- Websites with user-facing forms or content processed by NPS Computy
Discovery Timeline
- 2026-02-20 - CVE CVE-2025-67984 published to NVD
- 2026-02-23 - Last updated in NVD database
Technical Details for CVE-2025-67984
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). DOM-Based XSS differs from traditional reflected or stored XSS in that the attack payload is executed as a result of modifying the DOM environment in the victim's browser. The vulnerability originates from the client-side code rather than the server response.
In this specific case, the NPS Computy plugin fails to properly sanitize user-controlled input before it is processed by client-side JavaScript and rendered into the Document Object Model. This allows an attacker to craft malicious URLs or inject content that, when processed by the vulnerable JavaScript code, executes arbitrary scripts in the context of the victim's browser session.
The attack requires user interaction (such as clicking a crafted link), but can result in cross-site impacts including session hijacking, credential theft, and unauthorized actions within the WordPress administrative interface.
Root Cause
The root cause is insufficient input validation and output encoding within the NPS Computy plugin's JavaScript code. When user-supplied data is incorporated into DOM manipulation operations without proper sanitization, the browser interprets malicious input as executable code rather than data.
Common vulnerable patterns in DOM-Based XSS include:
- Direct use of document.location, document.URL, or document.referrer in sink functions
- Unsafe use of innerHTML, outerHTML, or document.write() with unvalidated input
- Improper handling of URL parameters or hash fragments in client-side routing
Attack Vector
The attack is network-based and requires a victim to interact with a malicious link or visit a compromised page. An attacker can craft a specially designed URL containing JavaScript payload that, when clicked by an authenticated WordPress user or site visitor, executes in their browser context.
The malicious script can then access cookies, session tokens, or other sensitive information retained by the browser. Due to the Changed scope indicated in the vulnerability assessment, the attack can affect resources beyond the vulnerable component itself.
For technical details on exploitation patterns, refer to the Patchstack WordPress Plugin Advisory.
Detection Methods for CVE-2025-67984
Indicators of Compromise
- Unusual JavaScript execution patterns in browser developer console logs
- Unexpected DOM modifications on pages utilizing NPS Computy functionality
- User reports of browser redirects or pop-ups when interacting with NPS Computy forms
- Authentication token exfiltration attempts in network traffic logs
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block inline script execution
- Monitor web application firewall (WAF) logs for XSS payload patterns targeting NPS Computy endpoints
- Review browser console logs for JavaScript errors or unexpected script sources
- Deploy client-side security monitoring to detect DOM manipulation anomalies
Monitoring Recommendations
- Enable detailed logging for all WordPress plugin activities, particularly NPS Computy interactions
- Configure WAF rules to alert on common XSS payloads in URL parameters and form inputs
- Monitor for unusual outbound connections from client browsers that may indicate data exfiltration
- Set up alerts for CSP violation reports which may indicate attempted exploitation
How to Mitigate CVE-2025-67984
Immediate Actions Required
- Update the NPS Computy plugin to a patched version when available from the vendor
- Consider temporarily disabling the NPS Computy plugin if it is not critical to site operations
- Implement strict Content Security Policy headers to mitigate XSS impact
- Review and audit any custom code integrating with NPS Computy functionality
Patch Information
Users should monitor the official WordPress plugin repository and the Patchstack advisory for updated versions of NPS Computy that address this vulnerability. Versions <= 2.8.2 are confirmed vulnerable.
Workarounds
- Implement a Web Application Firewall (WAF) with XSS filtering rules to block malicious payloads
- Add Content Security Policy headers restricting inline JavaScript execution: Content-Security-Policy: script-src 'self'
- Temporarily disable the NPS Computy plugin until a security patch is released
- Restrict access to WordPress administrative interfaces to trusted IP addresses only
# WordPress .htaccess CSP configuration example
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
