Stored Cross-Site Scripting Vulnerability in Favorites WordPress Plugin by WP Plugin Developer
CVE-2025-1452
Key Information:
Badges
Summary
The Favorites WordPress plugin versions prior to 2.3.5 are vulnerable due to insufficient sanitization and escaping of certain settings. This flaw allows high privilege users, including administrators, to execute Stored Cross-Site Scripting (XSS) attacks, regardless of the unfiltered_html capability being restricted, such as in multisite environments. Attackers could exploit this vulnerability to inject malicious scripts, compromising site security and user data.
Affected Version(s)
Favorites 0 < 2.3.5
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved