Stored Cross-Site Scripting Vulnerability in Mosaic Generator Plugin for WordPress
CVE-2025-8621

6.4MEDIUM

Key Information:

Vendor

WordPress
Status
Mosaic Generator
Vendor
CVE Published:
12 August 2025

What is CVE-2025-8621?

The Mosaic Generator plugin for WordPress is susceptible to Stored Cross-Site Scripting (XSS) attacks through the 'c' parameter. Due to inadequate input sanitization and output escaping, an attacker with Contributor-level access can exploit this vulnerability to inject malicious scripts. These scripts execute when users visit compromised pages, potentially compromising user data and site integrity. It's crucial for users to update to patched versions or implement security measures to mitigate this risk.

Affected Version(s)

Mosaic Generator * <= 1.0.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://wordpress.org/plugins/mosaic-generator/#developers

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

muhammad yudha
.
CVE-2025-8621 : Stored Cross-Site Scripting Vulnerability in Mosaic Generator Plugin for WordPress