{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-2635", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-21T22:08:46.866Z", "datePublished": "2025-03-25T09:22:03.045Z", "dateUpdated": "2026-04-08T17:12:38.513Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:38.513Z"}, "affected": [{"vendor": "codeverve", "product": "Digital License Manager", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.7.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Digital License Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg() function without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "Digital License Manager <= 1.7.3 - Reflected Cross-Site Scripting via remove_query_arg Function", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a266e003-3a0a-4832-a88b-60c2a26b387c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/digital-license-manager/trunk/includes/ListTables/Activations.php#L476"}, {"url": "https://wordpress.org/plugins/digital-license-manager/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3260900/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "timeline": [{"time": "2025-03-24T20:55:16.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-31T16:28:14.718954Z", "id": "CVE-2025-2635", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-31T16:28:23.673Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2635", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-31T16:28:14.718954Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-31T16:28:19.355Z"}}], "cna": {"title": "Digital License Manager <= 1.7.3 - Reflected Cross-Site Scripting via remove_query_arg Function", "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "codeverve", "product": "Digital License Manager", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.7.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-24T20:55:16.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a266e003-3a0a-4832-a88b-60c2a26b387c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/digital-license-manager/trunk/includes/ListTables/Activations.php#L476"}, {"url": "https://wordpress.org/plugins/digital-license-manager/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3260900/"}], "descriptions": [{"lang": "en", "value": "The Digital License Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg() function without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-03-25T09:22:03.045Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2635", "state": "PUBLISHED", "dateUpdated": "2025-03-31T16:28:23.673Z", "dateReserved": "2025-03-21T22:08:46.866Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-25T09:22:03.045Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Digital License Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg() function without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Digital License Manager para WordPress es vulnerable a ataques de Cross-Site Scripting reflejado debido al uso de la funci\u00f3n remove_query_arg() sin el escape adecuado en la URL en todas las versiones hasta la 1.7.3 incluida. Esto permite a atacantes no autenticados inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutan si logran enga\u00f1ar al usuario para que realice una acci\u00f3n, como hacer clic en un enlace."}], "id": "CVE-2025-2635", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-03-25T10:15:16.430", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/digital-license-manager/trunk/includes/ListTables/Activations.php#L476"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3260900/"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/digital-license-manager/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a266e003-3a0a-4832-a88b-60c2a26b387c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T21:43:20.086270+00:00", "value": {"mitigation_remediation": ["Upgrade Digital License Manager to the latest stable release (\u2265\u00a01.7.4) where the XSS issue is resolved with proper escaping in the remove_query_arg() function.", "If an immediate plugin upgrade cannot be performed, edit the file `activations.php` at the line that calls remove_query_arg(): wrap the resulting URL with esc_url() or esc_url_raw() before it is sent to the browser; consult the plugin\u2019s changelog or the referenced changeset for guidance on the correct implementation.", "Deploy a site\u2011wide Content Security Policy that blocks inline scripts\u2014for example, add the header `Content\u2011Security\u2011Policy: default-src 'self'; script-src 'self';` or use a meta tag `<meta http-equiv=\"Content\u2011Security\u2011Policy\" content=\"default-src 'self'; script-src 'self';\">`\u2014and test the policy in a staging environment before enabling it on production."], "summary": {"action": "Immediate Patch", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites running codeverve Digital License Manager versions 1.7.3 and earlier are affected. The vulnerability exists in all supported releases up to and including 1.7.3 of the plugin.", "description_and_impact": "The Digital License Manager plugin for WordPress contains a reflected cross\u2011site scripting flaw caused by the use of the remove_query_arg() function without proper escaping. An unauthenticated attacker can embed arbitrary JavaScript in a URL, which is subsequently reflected in pages when a user follows the link or performs an action that triggers the URL. This allows attackers to run malicious scripts in the context of the victim\u2019s browser, potentially stealing cookies, hijacking sessions, defacing content or installing malware.", "risk_and_exploitability": "The CVSS score of 6.1 indicates a medium severity flaw, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The flaw is not listed in the CISA KEV catalog. Exploitation requires an attacker to craft a malicious URL that the victim follows, which can be achieved through phishing or social engineering. Once the victim clicks the link, the injected script executes with the permissions of the logged\u2011in user, exposing the site to session theft or defacement."}}}}, "created": "2026-04-21T21:45:25.850168+00:00", "updated": "2026-04-21T21:45:25.850177+00:00", "vendors": []}