Stored Cross-Site Scripting Vulnerability in Redux Framework by WordPress
CVE-2025-9488

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Redux Framework
Vendor: CVE Published:; 13 December 2025

What is CVE-2025-9488?

The Redux Framework plugin for WordPress has a vulnerability that allows authenticated users with Contributor-level access and above to execute arbitrary web scripts. This is caused by insufficient input sanitization and output escaping via the 'data' parameter, affecting all versions up to and including 4.5.8. When a malicious user injects scripts, these scripts can execute every time a user accesses an infected page, posing a significant security threat to WordPress sites utilizing this plugin.

Affected Version(s)

Redux Framework * <= 4.5.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/redux-framewor...

https://wordpress.org/plugins/redux-framework/#developers

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 13, 2025
Vulnerability Reserved
Aug 26, 2025

Credit

Muhammad Yudha - DJ

JSON