{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69392", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:13:16.053Z", "datePublished": "2026-02-20T15:46:55.677Z", "dateUpdated": "2026-04-28T20:59:05.734Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "imoney", "product": "iMoney", "vendor": "itex", "versions": [{"lessThanOrEqual": "0.36", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Skalucy | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:18.198Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in itex iMoney imoney allows Reflected XSS.<p>This issue affects iMoney: from n/a through <= 0.36.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in itex iMoney imoney allows Reflected XSS.This issue affects iMoney: from n/a through <= 0.36."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:39.842Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/imoney/vulnerability/wordpress-imoney-plugin-0-36-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress iMoney plugin <= 0.36 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-23T21:27:55.107154Z", "id": "CVE-2025-69392", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T20:59:05.734Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69392", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:13:16.053Z", "datePublished": "2026-02-20T15:46:55.677Z", "dateUpdated": "2026-04-28T20:59:05.734Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "imoney", "product": "iMoney", "vendor": "itex", "versions": [{"lessThanOrEqual": "0.36", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Skalucy | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:18.198Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in itex iMoney imoney allows Reflected XSS.<p>This issue affects iMoney: from n/a through <= 0.36.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in itex iMoney imoney allows Reflected XSS.This issue affects iMoney: from n/a through <= 0.36."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:39.842Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/imoney/vulnerability/wordpress-imoney-plugin-0-36-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress iMoney plugin <= 0.36 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-69392", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-23T21:27:55.107154Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T21:27:41.396Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in itex iMoney imoney allows Reflected XSS.This issue affects iMoney: from n/a through <= 0.36."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en itex iMoney imoney permite XSS Reflejado. Este problema afecta a iMoney: desde n/a hasta &lt;= 0.36."}], "id": "CVE-2025-69392", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:24.700", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/imoney/vulnerability/wordpress-imoney-plugin-0-36-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.36]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "iMoney", "source": "cna", "vendor": "itex"}, "product": "imoney", "vendor": "itex"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T09:26:18.380437+00:00", "value": {"mitigation_remediation": ["Update the iMoney plugin to a version newer than 0.36 from the WordPress plugin repository or the itex provider.", "If an immediate update is not possible, remove or sanitize any user\u2011supplied input that is echoed in page output or block the vulnerable query parameters.", "Deploy a Content Security Policy that disallows inline scripts and restricts remote script sources, reducing the impact of any remaining XSS payloads."], "summary": {"action": "Apply Patch", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress installations that have the itex iMoney plugin version 0.36 or earlier installed are affected. The issue applies to all releases from the plugin\u2019s inception up to and including 0.36.", "description_and_impact": "The iMoney WordPress plugin has an improper neutralization of input during web page generation, allowing attackers to inject malicious scripts via reflected XSS. The vulnerability enables arbitrary script execution in the victim browser when unsanitized input is reflected back in a page, potentially compromising the user experience.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a high severity, but the EPSS score of less than 1% signals a low current likelihood of exploitation and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is a reflected XSS attack where an attacker crafts a malicious URL containing unsanitized input that is reflected back in the page displayed to a user. Successful exploitation requires user interaction with the crafted link."}}}}, "created": "2026-02-23T14:37:03.647068+00:00", "updated": "2026-04-28T09:30:26.217716+00:00", "vendors": ["itex", "itex$PRODUCT$imoney", "wordpress", "wordpress$PRODUCT$wordpress"]}