CVE-2025-15659

Vulnerability

A stored Cross-Site Scripting (XSS) vulnerability exists in the Elizaibots plugin for WordPress versions 1.0.2 and earlier. The flaw allows users with Contributor-level access to inject arbitrary JavaScript into plugin-generated content, which is then stored and rendered without proper sanitization [1].

Exploitation

An attacker must have a WordPress account with at least Contributor privileges. The attacker can inject malicious script payloads into unsuspecting input fields of the plugin. Successful exploitation requires a privileged user (e.g., administrator) to view the injected content, or the script may execute automatically for site visitors when the compromised page is loaded [1].

Impact

If exploited, an attacker can inject arbitrary HTML and JavaScript, leading to redirects, advertisements, or other malicious payloads being executed in the browsers of anyone visiting the affected site. This could result in information disclosure, session hijacking, or defacement [1].

Mitigation

As of the publication date, no fixed version is explicitly referenced; the vendor advises immediate updating of the plugin. Users should update to the latest available version of the Elizaibots plugin or disable it until a patch is applied. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].