CVE-2025-25084

Vulnerability

Overview

CVE-2025-25084 is a stored cross-site scripting (XSS) vulnerability in the UniTimetable plugin for WordPress, affecting all versions up to and including 1.1. The flaw stems from improper neutralization of user-supplied input during web page generation, allowing an authenticated attacker with contributor-level privileges to inject arbitrary JavaScript or HTML into the plugin's output [1].

Exploitation and

Requirements

Exploitation requires a user with at least the Contributor role within WordPress. The attacker injects a malicious payload into a vulnerable field (such as a timetable entry), which is then stored and executed when any visitor — including site administrators and guests — loads the affected page. While user interaction is needed for privileged users (e.g., an admin clicking a link), the stored script executes automatically for regular site visitors [1].

Impact and

Risk

A successful attack enables the injection of arbitrary scripts, which can be used to redirect visitors to malicious sites, display unauthorized advertisements, steal session cookies, or deface the website. Given the plugin's public-facing nature, the vulnerability is considered moderately dangerous and is expected to be exploited in mass automated campaigns against many sites simultaneously [1].

Mitigation

Status

As of the publication date, an official patch has not yet been released. The recommended immediate action is to update the plugin once a fix is available. For those unable to update, Patchstack has issued a virtual mitigation rule to block exploitation attempts until a tested patch can be applied [1]. Site administrators should also consider removing the plugin or limiting contributor access as a temporary workaround.