6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-10927

GHSA ID

GHSA-pr6m-qwrr-mrw9

EPSS Score

0.07087%

CWE

CWE-79

Published

10/30/2025

Updated

10/30/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-10927

CVE-2025-10927: Drupal Plausible tracking is vulnerable to XSS

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Plausible tracking allows Cross-Site Scripting (XSS). This issue affects Plausible tracking: from 0.0.0 before 1.0.2.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-10927

GHSA ID

GHSA-pr6m-qwrr-mrw9

EPSS Score

0.07087%

CWE

CWE-79

Published

10/30/2025

Updated

10/30/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
drupal/plausible_tracking	composer	< 1.0.2	1.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a stored Cross-Site Scripting (XSS) issue within the 'Plausible tracking' Drupal module. The root cause is the improper handling of user-supplied data in the module's block configuration.

The blockSubmit function in the PlausibleTracking class directly saves the input for the 'Domains' field without any sanitization. An attacker with permissions to configure this block can therefore inject a malicious script into this field. Later, when the block is rendered on a page, the build function retrieves this stored value and inserts it into the data-domain attribute of a <script> tag. This results in the execution of the malicious script in the browser of any user visiting the page where the block is displayed. The patch resolves this by applying Html::escape() to the 'domains' input within the blockSubmit function, preventing the script from being rendered as executable code.

Vulnerable functions

Drupal\plausible_tracking\Plugin\Block\PlausibleTracking::blockSubmit

src/Plugin/Block/PlausibleTracking.php

This function handles the submission of the block's configuration form. The vulnerability lies in the fact that it directly saves the user-provided 'domains' value from the form state (`$values['domains']`) into the block's configuration without any sanitization or escaping. This allows an attacker with permission to configure the block to inject a malicious script payload, which is then stored in the database.

Drupal\plausible_tracking\Plugin\Block\PlausibleTracking::build

src/Plugin/Block/PlausibleTracking.php

This function builds the render array for the block. It retrieves the 'domains' value from the configuration (which may contain a malicious payload saved via `blockSubmit`) and places it directly into the 'data-domain' attribute of a <script> tag. When the page is rendered, this unsanitized value is outputted to the HTML, allowing the stored cross-site scripting payload to execute in the user's browser.

WAF Protection Rules

WAF Rule

Improp*r N*utr*liz*tion o* Input *urin* W** P*** **n*r*tion ('*ross-sit* S*riptin*') vuln*r**ility in *rup*l Pl*usi*l* tr**kin* *llows *ross-Sit* S*riptin* (XSS). T*is issu* *****ts Pl*usi*l* tr**kin*: *rom *.*.* ***or* *.*.*.

Reasoning

T** vuln*r**ility is * stor** *ross-Sit* S*riptin* (XSS) issu* wit*in t** 'Pl*usi*l* tr**kin*' *rup*l mo*ul*. T** root **us* is t** improp*r **n*lin* o* us*r-suppli** **t* in t** mo*ul*'s *lo*k *on*i*ur*tion. T** `*lo*kSu*mit` *un*tion in t** `Pl*u

6.1

Basic Information

Concerned about an active attack path?

CVE-2025-10927: Drupal Plausible tracking is vulnerable to XSS

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI