Cross-site Scripting Vulnerability in WP Wizard Cloak by Soflyy
CVE-2025-53237

7.1HIGH

Key Information:

Vendor: WordPress
Status: WP Wizard Cloak
Vendor: CVE Published:; 20 February 2026

What is CVE-2025-53237?

The WP Wizard Cloak plugin created by Soflyy is susceptible to a reflected cross-site scripting (XSS) vulnerability. This flaw arises from improper neutralization of input during web page generation, allowing attackers to inject malicious scripts. Successful exploitation can lead to unauthorized access or manipulation of the affected webpage, jeopardizing user data and site integrity. Site administrators using WP Wizard Cloak version 1.0.1 or earlier should address this issue promptly to protect their websites.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

WP Wizard Cloak <= n/a

References

https://patchstack.com/database/Wordpress/Plugin/wp-wizar...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 20, 2026
Vulnerability Reserved
Jun 27, 2025

Credit

Nguyen Xuan Chien | Patchstack Bug Bounty Program

JSON

WordPress