CVE-2025-25142

CVE-2025-25142 is a stored cross-site scripting (XSS) vulnerability in the WP Less Compiler WordPress plugin, affecting all versions up to and including 1.3.0. The issue arises from improper neutralization of user-supplied input during web page generation, allowing attackers with certain privileges to inject arbitrary HTML and JavaScript that gets permanently stored on the server.

To exploit this vulnerability, an attacker must have at least a contributor-level role or higher, and user interaction is required. The injection occurs when a privileged user performs an action such as clicking a malicious link or submitting a crafted form. Once the payload is stored, it executes automatically whenever site visitors access the compromised page.

Successful exploitation can lead to script injection enabling redirects, display of advertisements, or other malicious HTML payloads that affect all visitors to the website. The CVSS v3.1 base score of 7.1 (High) reflects the potential for broad impact across site visitors, though exploitation requires some user interaction and prior authentication.

As of the publication date (2025-03-03), no official patch is available. However, Patchstack has issued a mitigation rule to block attacks until an update can be safely applied [1]. Users are strongly advised to apply any available patch as soon as it is released, or to temporarily disable or replace the plugin if immediate mitigation is not possible.