Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-67984

CVE-2025-67984: NPS computy DOM-Based XSS Vulnerability

CVE-2025-67984 is a DOM-based cross-site scripting vulnerability in NPS computy affecting versions up to 2.8.2. Attackers can exploit this flaw to execute malicious scripts in users' browsers. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2025-67984 Overview

CVE-2025-67984 is a DOM-Based Cross-Site Scripting (XSS) vulnerability affecting the NPS Computy WordPress plugin developed by calliko. This vulnerability allows attackers to inject malicious scripts through improper neutralization of user input during web page generation. The flaw exists in versions up to and including 2.8.2 of the plugin.

Critical Impact

Attackers can execute arbitrary JavaScript in victim browsers, potentially stealing session cookies, redirecting users to malicious sites, or performing actions on behalf of authenticated users within the WordPress admin panel.

Affected Products

  • NPS Computy WordPress Plugin versions through <= 2.8.2
  • WordPress installations utilizing the vulnerable nps-computy plugin
  • Websites with user-facing forms or content processed by NPS Computy

Discovery Timeline

  • 2026-02-20 - CVE CVE-2025-67984 published to NVD
  • 2026-02-23 - Last updated in NVD database

Technical Details for CVE-2025-67984

Vulnerability Analysis

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). DOM-Based XSS differs from traditional reflected or stored XSS in that the attack payload is executed as a result of modifying the DOM environment in the victim's browser. The vulnerability originates from the client-side code rather than the server response.

In this specific case, the NPS Computy plugin fails to properly sanitize user-controlled input before it is processed by client-side JavaScript and rendered into the Document Object Model. This allows an attacker to craft malicious URLs or inject content that, when processed by the vulnerable JavaScript code, executes arbitrary scripts in the context of the victim's browser session.

The attack requires user interaction (such as clicking a crafted link), but can result in cross-site impacts including session hijacking, credential theft, and unauthorized actions within the WordPress administrative interface.

Root Cause

The root cause is insufficient input validation and output encoding within the NPS Computy plugin's JavaScript code. When user-supplied data is incorporated into DOM manipulation operations without proper sanitization, the browser interprets malicious input as executable code rather than data.

Common vulnerable patterns in DOM-Based XSS include:

  • Direct use of document.location, document.URL, or document.referrer in sink functions
  • Unsafe use of innerHTML, outerHTML, or document.write() with unvalidated input
  • Improper handling of URL parameters or hash fragments in client-side routing

Attack Vector

The attack is network-based and requires a victim to interact with a malicious link or visit a compromised page. An attacker can craft a specially designed URL containing JavaScript payload that, when clicked by an authenticated WordPress user or site visitor, executes in their browser context.

The malicious script can then access cookies, session tokens, or other sensitive information retained by the browser. Due to the Changed scope indicated in the vulnerability assessment, the attack can affect resources beyond the vulnerable component itself.

For technical details on exploitation patterns, refer to the Patchstack WordPress Plugin Advisory.

Detection Methods for CVE-2025-67984

Indicators of Compromise

  • Unusual JavaScript execution patterns in browser developer console logs
  • Unexpected DOM modifications on pages utilizing NPS Computy functionality
  • User reports of browser redirects or pop-ups when interacting with NPS Computy forms
  • Authentication token exfiltration attempts in network traffic logs

Detection Strategies

  • Implement Content Security Policy (CSP) headers to detect and block inline script execution
  • Monitor web application firewall (WAF) logs for XSS payload patterns targeting NPS Computy endpoints
  • Review browser console logs for JavaScript errors or unexpected script sources
  • Deploy client-side security monitoring to detect DOM manipulation anomalies

Monitoring Recommendations

  • Enable detailed logging for all WordPress plugin activities, particularly NPS Computy interactions
  • Configure WAF rules to alert on common XSS payloads in URL parameters and form inputs
  • Monitor for unusual outbound connections from client browsers that may indicate data exfiltration
  • Set up alerts for CSP violation reports which may indicate attempted exploitation

How to Mitigate CVE-2025-67984

Immediate Actions Required

  • Update the NPS Computy plugin to a patched version when available from the vendor
  • Consider temporarily disabling the NPS Computy plugin if it is not critical to site operations
  • Implement strict Content Security Policy headers to mitigate XSS impact
  • Review and audit any custom code integrating with NPS Computy functionality

Patch Information

Users should monitor the official WordPress plugin repository and the Patchstack advisory for updated versions of NPS Computy that address this vulnerability. Versions <= 2.8.2 are confirmed vulnerable.

Workarounds

  • Implement a Web Application Firewall (WAF) with XSS filtering rules to block malicious payloads
  • Add Content Security Policy headers restricting inline JavaScript execution: Content-Security-Policy: script-src 'self'
  • Temporarily disable the NPS Computy plugin until a security patch is released
  • Restrict access to WordPress administrative interfaces to trusted IP addresses only
bash
# WordPress .htaccess CSP configuration example
<IfModule mod_headers.c>
    Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Content-Type-Options "nosniff"
</IfModule>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.