{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6324", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-06-19T10:04:11.672Z", "datePublished": "2025-12-18T07:22:09.770Z", "dateUpdated": "2026-04-28T18:21:54.964Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "easy-invoice", "product": "Easy Invoice", "vendor": "MatrixAddons", "versions": [{"changes": [{"at": "2.1.0", "status": "unaffected"}], "lessThanOrEqual": "2.0.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Ryan Novotny | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:01:03.311Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MatrixAddons Easy Invoice easy-invoice allows DOM-Based XSS.<p>This issue affects Easy Invoice: from n/a through <= 2.0.9.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MatrixAddons Easy Invoice easy-invoice allows DOM-Based XSS.This issue affects Easy Invoice: from n/a through <= 2.0.9."}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:10.275Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/easy-invoice/vulnerability/wordpress-easy-invoice-plugin-2-0-9-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Easy Invoice plugin <= 2.0.9 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-18T19:02:09.343577Z", "id": "CVE-2025-6324", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T18:21:54.964Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6324", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-06-19T10:04:11.672Z", "datePublished": "2025-12-18T07:22:09.770Z", "dateUpdated": "2026-04-28T18:21:54.964Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "easy-invoice", "product": "Easy Invoice", "vendor": "MatrixAddons", "versions": [{"changes": [{"at": "2.1.0", "status": "unaffected"}], "lessThanOrEqual": "2.0.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Ryan Novotny | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:01:03.311Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MatrixAddons Easy Invoice easy-invoice allows DOM-Based XSS.<p>This issue affects Easy Invoice: from n/a through <= 2.0.9.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MatrixAddons Easy Invoice easy-invoice allows DOM-Based XSS.This issue affects Easy Invoice: from n/a through <= 2.0.9."}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:10.275Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/easy-invoice/vulnerability/wordpress-easy-invoice-plugin-2-0-9-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Easy Invoice plugin <= 2.0.9 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6324", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-18T19:02:09.343577Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-18T19:01:20.136Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MatrixAddons Easy Invoice easy-invoice allows DOM-Based XSS.This issue affects Easy Invoice: from n/a through <= 2.0.9."}], "id": "CVE-2025-6324", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-12-18T08:16:16.817", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/easy-invoice/vulnerability/wordpress-easy-invoice-plugin-2-0-9-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T10:09:58.708033+00:00", "value": {"mitigation_remediation": ["Upgrade Easy Invoice to the latest release (v2.1.0 or later).", "If an immediate upgrade is not possible, remove or sanitize any user\u2011supplied data that is rendered by the plugin, ensuring that all output is properly escaped for JavaScript/HTML contexts.", "If the plugin remains in use, limit its access to administrators only and enforce strict input validation, or selectively disable the plugin on sites that do not require it."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "MatrixAddons Easy Invoice plugin versions up to and including 2.0.9 are affected. The vulnerability applies to all installations of this plugin for WordPress where untrusted input is reflected in the generated HTML without proper escaping.", "description_and_impact": "This flaw is a DOM\u2011based Cross\u2011Site Scripting vulnerability that allows an attacker to inject arbitrary client\u2011side script into the web page rendered by the Easy Invoice plugin. Because the plugin does not properly neutralize user\u2011supplied data, an attacker could execute code in a victim\u2019s browser, gaining the ability to steal session cookies, deface the site, or perform phishing attacks within the context of the affected WordPress installation. The impact is a direct compromise of confidentiality and integrity for users interacting with the plugin, but it does not affect availability at the server level.", "risk_and_exploitability": "The CVSS score of 7.1 classifies the vulnerability as High severity. The EPSS score of less than 1% indicates a very low exploitation probability at the current time, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, it can be triggered by crafted input in a normal web request, so defenders should consider the risk of an attacker injecting malicious JavaScript via the plugin\u2019s input fields."}}}}, "created": "2025-12-19T09:17:25.199884+00:00", "updated": "2026-04-28T10:15:28.857075+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}