Plausible tracking - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-107 - Security-news

24 Sep 2025


      View online: https://www.drupal.org/sa-contrib-2025-107
Project: Plausible tracking [1]
Date: 2025-September-24
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting
Affected versions: <1.0.2
CVE IDs: CVE-2025-10927
Description: 
This module integrates Plausible Analytics on a site.
The module did not properly filter output in certain cases.
This vulnerability is mitigated by the fact that an attacker must have
permission to add raw HTML to the website, such as an unfiltered WYSIWYG
field on a public-facing comment.
Solution: 
Install the latest version:
* If you use the Plausible Analytics module for Drupal, upgrade to Plausible
    Analytics v1.0.2 [3]
Reported By: 
  * Pierre Rudloff (prudloff) [4]
Fixed By: 
  * Pierre Rudloff (prudloff) [5]
  * Benjamin Rasmussen (ras-ben) [6]
Coordinated By: 
  * Damien McKenna (damienmckenna) [7] of the Drupal Security Team
------------------------------------------------------------------------------
Contribution record [8]
[1] https://www.drupal.org/project/plausible_tracking
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/plausible_tracking/releases/1.0.2
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/prudloff
[6] https://www.drupal.org/u/ras-ben
[7] https://www.drupal.org/u/damienmckenna
[8]  
https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....