CVE-2019-25743

Vulnerability

WordPress Soliloquy Lite versions up to and including 2.5.6 contain a persistent cross-site scripting (XSS) vulnerability. This flaw allows authenticated attackers to inject malicious script tags into the post title field, which are then stored by the plugin [3].

Exploitation

An attacker with authenticated access to WordPress can exploit this vulnerability by submitting a POST request to the post editing endpoint. The malicious script payload should be included in the post_title parameter. The vulnerability is triggered when another user previews the post containing the injected script [3].

Impact

Successful exploitation of this vulnerability allows an attacker to inject malicious scripts that will be stored persistently. When other users preview the affected post, these scripts will be executed in their browser context, potentially leading to session hijacking, defacement, or further malicious actions depending on the script's functionality [3].

Mitigation

There is no specific patched version or release date mentioned in the available references. Users are advised to check for updates from the plugin developers. As of the available information, no workarounds or EOL status are disclosed [1, 2, 3].