{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68031", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:01:03.746Z", "datePublished": "2026-02-20T15:46:36.305Z", "dateUpdated": "2026-04-28T19:55:59.045Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "farazsms", "product": "\u0627\u0641\u0632\u0648\u0646\u0647 \u067e\u06cc\u0627\u0645\u06a9 \u062d\u0631\u0641\u0647 \u0627\u06cc \u0641\u0631\u0627\u0632 \u0627\u0633 \u0627\u0645 \u0627\u0633", "vendor": "faraz sms", "versions": [{"lessThanOrEqual": "2.7.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Skalucy | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:18.139Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in faraz sms \u0627\u0641\u0632\u0648\u0646\u0647 \u067e\u06cc\u0627\u0645\u06a9 \u062d\u0631\u0641\u0647 \u0627\u06cc \u0641\u0631\u0627\u0632 \u0627\u0633 \u0627\u0645 \u0627\u0633 farazsms allows Reflected XSS.<p>This issue affects \u0627\u0641\u0632\u0648\u0646\u0647 \u067e\u06cc\u0627\u0645\u06a9 \u062d\u0631\u0641\u0647 \u0627\u06cc \u0641\u0631\u0627\u0632 \u0627\u0633 \u0627\u0645 \u0627\u0633: from n/a through <= 2.7.3.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in faraz sms \u0627\u0641\u0632\u0648\u0646\u0647 \u067e\u06cc\u0627\u0645\u06a9 \u062d\u0631\u0641\u0647 \u0627\u06cc \u0641\u0631\u0627\u0632 \u0627\u0633 \u0627\u0645 \u0627\u0633 farazsms allows Reflected XSS.This issue affects \u0627\u0641\u0632\u0648\u0646\u0647 \u067e\u06cc\u0627\u0645\u06a9 \u062d\u0631\u0641\u0647 \u0627\u06cc \u0641\u0631\u0627\u0632 \u0627\u0633 \u0627\u0645 \u0627\u0633: from n/a through <= 2.7.3."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:26.893Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/farazsms/vulnerability/wordpress-fzonh-m-hrfh-fr-z-s-m-s-plugin-2-7-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress \u0627\u0641\u0632\u0648\u0646\u0647 \u067e\u06cc\u0627\u0645\u06a9 \u062d\u0631\u0641\u0647 \u0627\u06cc \u0641\u0631\u0627\u0632 \u0627\u0633 \u0627\u0645 \u0627\u0633 plugin <= 2.7.3 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-23T21:46:33.462621Z", "id": "CVE-2025-68031", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T19:55:59.045Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-68031", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-23T21:46:33.462621Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T21:46:34.577Z"}}], "cna": {"title": "WordPress \u0627\u0641\u0632\u0648\u0646\u0647 \u067e\u06cc\u0627\u0645\u06a9 \u062d\u0631\u0641\u0647 \u0627\u06cc \u0641\u0631\u0627\u0632 \u0627\u0633 \u0627\u0645 \u0627\u0633 plugin <= 2.7.3 - Reflected Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Skalucy | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "affected": [{"vendor": "faraz sms", "product": "\u0627\u0641\u0632\u0648\u0646\u0647 \u067e\u06cc\u0627\u0645\u06a9 \u062d\u0631\u0641\u0647 \u0627\u06cc \u0641\u0631\u0627\u0632 \u0627\u0633 \u0627\u0645 \u0627\u0633", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 2.7.3"}], "packageName": "farazsms", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-02-20T16:44:01.371Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/farazsms/vulnerability/wordpress-fzonh-m-hrfh-fr-z-s-m-s-plugin-2-7-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in faraz sms \u0627\u0641\u0632\u0648\u0646\u0647 \u067e\u06cc\u0627\u0645\u06a9 \u062d\u0631\u0641\u0647 \u0627\u06cc \u0641\u0631\u0627\u0632 \u0627\u0633 \u0627\u0645 \u0627\u0633 farazsms allows Reflected XSS.This issue affects \u0627\u0641\u0632\u0648\u0646\u0647 \u067e\u06cc\u0627\u0645\u06a9 \u062d\u0631\u0641\u0647 \u0627\u06cc \u0641\u0631\u0627\u0632 \u0627\u0633 \u0627\u0645 \u0627\u0633: from n/a through <= 2.7.3.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in faraz sms \u0627\u0641\u0632\u0648\u0646\u0647 \u067e\u06cc\u0627\u0645\u06a9 \u062d\u0631\u0641\u0647 \u0627\u06cc \u0641\u0631\u0627\u0632 \u0627\u0633 \u0627\u0645 \u0627\u0633 farazsms allows Reflected XSS.<p>This issue affects \u0627\u0641\u0632\u0648\u0646\u0647 \u067e\u06cc\u0627\u0645\u06a9 \u062d\u0631\u0641\u0647 \u0627\u06cc \u0641\u0631\u0627\u0632 \u0627\u0633 \u0627\u0645 \u0627\u0633: from n/a through <= 2.7.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-02-20T15:46:36.305Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68031", "state": "PUBLISHED", "dateUpdated": "2026-02-23T21:48:05.070Z", "dateReserved": "2025-12-15T10:01:03.746Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:36.305Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in faraz sms \u0627\u0641\u0632\u0648\u0646\u0647 \u067e\u06cc\u0627\u0645\u06a9 \u062d\u0631\u0641\u0647 \u0627\u06cc \u0641\u0631\u0627\u0632 \u0627\u0633 \u0627\u0645 \u0627\u0633 farazsms allows Reflected XSS.This issue affects \u0627\u0641\u0632\u0648\u0646\u0647 \u067e\u06cc\u0627\u0645\u06a9 \u062d\u0631\u0641\u0647 \u0627\u06cc \u0641\u0631\u0627\u0632 \u0627\u0633 \u0627\u0645 \u0627\u0633: from n/a through <= 2.7.3."}, {"lang": "es", "value": "Vulnerabilidad de Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') en faraz sms ?????? ????? ???? ?? ???? ?? ?? ?? farazsms permite XSS Reflejado. Este problema afecta a ?????? ????? ???? ?? ???? ?? ?? ??: desde n/a hasta &lt;= 2.7.3."}], "id": "CVE-2025-68031", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:08.087", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/farazsms/vulnerability/wordpress-fzonh-m-hrfh-fr-z-s-m-s-plugin-2-7-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.7.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "\u0627\u0641\u0632\u0648\u0646\u0647 \u067e\u06cc\u0627\u0645\u06a9 \u062d\u0631\u0641\u0647 \u0627\u06cc \u0641\u0631\u0627\u0632 \u0627\u0633 \u0627\u0645 \u0627\u0633", "source": "cna", "vendor": "faraz sms"}, "product": "\u0627\u0641\u0632\u0648\u0646\u0647_\u067e\u06cc\u0627\u0645\u06a9_\u062d\u0631\u0641\u0647_\u0627\u06cc_\u0641\u0631\u0627\u0632_\u0627\u0633_\u0627\u0645_\u0627\u0633", "vendor": "faraz_sms"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T09:36:07.697576+00:00", "value": {"mitigation_remediation": ["Upgrade the Faraz SMS plugin to the latest version released after 2.7.3 that resolves the XSS issue.", "If no newer version is available, disable the plugin or replace it with a trusted alternative until the vendor releases a fix.", "Implement a Web Application Firewall or equivalent input\u2011validation layer that blocks or sanitizes malicious script payloads before they reach the browser."], "summary": {"action": "Apply Patch", "impact": "Reflected Cross Site Scripting"}, "threat_synthesis": {"affected_systems": "The flaw affects the WordPress plugin \u201c\u0627\u0641\u0632\u0648\u0646\u0647 \u067e\u06cc\u0627\u0645\u06a9 \u062d\u0631\u0641\u0647 \u0627\u06cc \u0641\u0631\u0627\u0632 \u0627\u0633 \u0627\u0645 \u0627\u0633\u201d developed by Faraz SMS. All versions from the initial release up to and including 2.7.3 are vulnerable. No other versions have been confirmed to be affected.", "description_and_impact": "The plugin contains an Improper Neutralization of Input During Web Page Generation flaw that allows attackers to inject and execute malicious scripts in a victim's browser. This Reflected Cross\u2011Site Scripting vulnerability can lead to session hijacking, credential theft, or site defacement from the victim's perspective.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a high risk, while an EPSS score of less than 1\u202f% suggests that exploitation is currently rare. The vulnerability is not yet listed in CISA\u2019s KEV catalogue. Based on the description, the likely attack vector involves embedding malicious code within a URL or form field that the plugin reflects back to the browser, so the attack requires the victim to load the crafted page. Because the flaw propagates user\u2011controlled data directly into the HTML response, it is straightforward for an attacker with access to the front\u2011end of the site to spin up malicious links."}}}}, "created": "2026-02-23T14:45:43.736255+00:00", "updated": "2026-04-28T09:45:28.450537+00:00", "vendors": ["faraz_sms", "faraz_sms$PRODUCT$\u0627\u0641\u0632\u0648\u0646\u0647_\u067e\u06cc\u0627\u0645\u06a9_\u062d\u0631\u0641\u0647_\u0627\u06cc_\u0641\u0631\u0627\u0632_\u0627\u0633_\u0627\u0645_\u0627\u0633", "wordpress", "wordpress$PRODUCT$wordpress"]}