CVE-2025-3669: 
WordPress vulnerability analysis and mitigation

The Web Directory Free WordPress plugin before version 1.7.2 contains a Reflected Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on July 30, 2024, and was assigned CVE-2024-3669. The issue affects high privilege users such as administrators and stems from improper sanitization and escaping of parameters before output (WPScan).

The vulnerability is caused by insufficient input sanitization where a parameter is not properly sanitized and escaped before being output back in the page. This has been classified as CWE-79: Improper Neutralization of Input During Web Page Generation. The vulnerability has received a CVSS v3.1 base score of 6.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L (WPScan).

The vulnerability could allow attackers to execute cross-site scripting attacks against high privilege users such as administrators. This could potentially lead to high confidentiality impact and low integrity and availability impacts (WPScan).

Users should upgrade to Web Directory Free WordPress plugin version 1.7.2 or later which contains the fix for this vulnerability (WPScan).