Atomic Edge analysis of CVE-2025-67984:
This vulnerability is an unauthenticated stored cross-site scripting (XSS) flaw in the NPS computy WordPress plugin. The vulnerability affects the plugin’s administrative interface component and has a CVSS score of 7.2 (High severity).

Atomic Edge research identified the root cause as insufficient output escaping in the plugin’s administrative form generation code. The vulnerable code resides in the file `nps-computy/class.nps-computy-admin.php` at lines 400-402. The plugin directly concatenates user-controlled variables `$data1`, `$data22`, and `$pol_name_value` into HTML `value` attributes without proper escaping.

An attacker can exploit this vulnerability by submitting malicious JavaScript payloads through the plugin’s administrative interface parameters. The attack vector requires access to the plugin’s administrative functionality, but the vulnerability description indicates unauthenticated access is possible. The payloads would be stored and later executed when an administrator views the affected page containing the injected script.

The patch adds WordPress `esc_attr()` function calls to sanitize the three user-controlled variables before output. In `nps-computy/class.nps-computy-admin.php`, lines 400-402 now wrap `$data1`, `$data22`, and `$pol_name_value` with `esc_attr()`. This ensures any HTML special characters in these values are converted to their HTML entities, preventing script execution while preserving the displayed text. The version number also increments from 2.8.2 to 2.8.3 in both `nps-computy/index.php` and the `NPS_COMPUTY_VERSION` constant.

Successful exploitation allows attackers to inject arbitrary JavaScript code that executes in the context of authenticated administrators. This can lead to session hijacking, administrative account compromise, site defacement, or malware distribution to site visitors. The stored nature means the payload persists and affects all users who view the compromised page.