Cybersecurity Vulnerabilities

Envo Extra Plugin Under Attack! CVE-2025-66066 Exposes Sites to XSS

November 21, 2025 - By 

Overview

CVE-2025-66066 is a security vulnerability affecting the EnvoThemes Envo Extra WordPress plugin. Specifically, it’s a Stored Cross-Site Scripting (XSS) vulnerability. This means malicious code can be injected into the plugin’s settings or features, and that code will be executed in the browsers of other users who access the affected areas. Versions 1.9.11 and earlier of the plugin are affected.

Technical Details

The vulnerability, categorized as “Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)”, allows attackers to inject malicious scripts into areas managed by the Envo Extra plugin. Because the input is not properly sanitized or encoded before being displayed to other users, the injected JavaScript code executes within their browsers. This can lead to account compromise, redirection to malicious websites, or the execution of other harmful actions.

The specific injection point is not specified, but the nature of a Stored XSS vulnerability indicates that it involves a setting, custom field, or other user-controlled input within the plugin’s administrative or front-end interface.

CVSS Analysis

Currently, the CVSS score and severity rating for CVE-2025-66066 are listed as N/A. While a score hasn’t been assigned, the nature of a Stored XSS vulnerability generally warrants a ‘Medium’ to ‘High’ severity rating, depending on the attack surface and the impact on affected users. The lack of a score should not diminish the importance of addressing the vulnerability.

Possible Impact

The impact of a successful XSS attack can be significant. An attacker could:

  • Steal Session Cookies: Gain unauthorized access to administrator accounts.
  • Deface Websites: Modify the website’s content to display misleading or malicious information.
  • Redirect Users: Send users to phishing sites or other malicious websites.
  • Inject Malware: Attempt to install malware on users’ computers.
  • Admin Account Takeover: If an admin visits an infected page, the attacker can take over the entire site.

Mitigation and Patch Steps

The best course of action is to:

  1. Update the Plugin: Check for and install the latest version of the Envo Extra plugin. The vulnerability affects versions up to and including 1.9.11, so updating to a version *higher* than 1.9.11 is crucial, if available. Contact the EnvoThemes support if you need a patched version.
  2. Disable the Plugin: If an update is not yet available, temporarily disable the Envo Extra plugin until a patch is released.
  3. Review User Input: If possible, carefully review any user input stored within the Envo Extra plugin for suspicious code (e.g., `