[Security-news] Plausible tracking - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-107
security-news at drupal.org
security-news at drupal.org
Wed Sep 24 17:18:09 UTC 2025
View online: https://www.drupal.org/sa-contrib-2025-107
Project: Plausible tracking [1]
Date: 2025-September-24
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting
Affected versions: <1.0.2
CVE IDs: CVE-2025-10927
Description:
This module integrates Plausible Analytics on a site.
The module did not properly filter output in certain cases.
This vulnerability is mitigated by the fact that an attacker must have
permission to add raw HTML to the website, such as an unfiltered WYSIWYG
field on a public-facing comment.
Solution:
Install the latest version:
* If you use the Plausible Analytics module for Drupal, upgrade to Plausible
Analytics v1.0.2 [3]
Reported By:
* Pierre Rudloff (prudloff) [4]
Fixed By:
* Pierre Rudloff (prudloff) [5]
* Benjamin Rasmussen (ras-ben) [6]
Coordinated By:
* Damien McKenna (damienmckenna) [7] of the Drupal Security Team
------------------------------------------------------------------------------
Contribution record [8]
[1] https://www.drupal.org/project/plausible_tracking
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/plausible_tracking/releases/1.0.2
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/prudloff
[6] https://www.drupal.org/u/ras-ben
[7] https://www.drupal.org/u/damienmckenna
[8]
https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3548502
More information about the Security-news
mailing list