CVE-2025-1289

Medium CVSS 4.8

Overview

The Plugin Oficial WordPress plugin through 1.7.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CWE: CWE-79 Published: 2025-05-15T20:16:02.307

Risk analysis

This vulnerability is rated 🟡 MEDIUM.

CVSS: 4.8 (MEDIUM)
Detected tags: wordpress, xss (tag impact: MODERATE)

Recommended actions:

Apply context-aware output encoding.
Enable Content-Security-Policy and HttpOnly/SameSite cookies.

Overview

Recommended tools

Tags