CVE-2025-23635

The ePermissions plugin for WordPress versions up to and including 1.2 contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This means the plugin fails to sanitize or escape input before it is included in output, allowing an attacker to inject malicious HTML or JavaScript code into a dynamically generated page.

Exploitation requires user interaction: the targeted user must click on a crafted link, submit a form, or visit a specially prepared page [1]. No authentication is needed to initiate the attack, but the victim must be a privileged user (such as an administrator) to complete the exploitation flow. The attack vector is network-based, making it possible to launch remote attacks against any vulnerable WordPress site.

Successful exploitation allows an attacker to inject arbitrary scripts that execute in the context of the victim's browser. This can lead to malicious actions such as redirecting visitors to attacker-controlled sites, displaying unwanted advertisements, or injecting other HTML payloads [1]. Such vulnerabilities are commonly used in mass-exploit campaigns targeting thousands of websites simultaneously [1].

As a mitigation, the vendor has not yet released an official patch, but Patchstack has issued a mitigation rule to block attacks [1]. The recommended immediate action for site administrators is to update the plugin as soon as a fix becomes available, or to contact their hosting provider for assistance [1].