CVE-2025-27006

Vulnerability

Description CVE-2025-27006 is a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin Authorsy (versions up to 1.0.5). The root cause is improper neutralization of input during web page generation, which allows an attacker to inject arbitrary JavaScript into pages that are then stored on the server and executed when other users visit those pages [1].

Exploitation

To exploit this vulnerability, an attacker must have a user role capable of submitting content that gets saved (e.g., author or contributor). While the vulnerability requires a privileged user to perform an action—such as clicking a link or submitting a form—the injected script can then execute in the context of other users who view the affected page. No special network access is needed beyond a standard WordPress installation because the attack is performed through the plugin's normal input mechanisms [1].

Impact

Successful exploitation allows a malicious actor to inject malicious scripts, which can perform actions such as redirecting visitors to attacker-controlled sites, displaying advertisements, or stealing session cookies. This could compromise the integrity of the website and lead to further attacks against site visitors or administrators [1].

Mitigation

The vulnerability is fixed in version 1.0.6 of the Authorsy plugin. Users are strongly advised to update immediately. For those who cannot update, Patchstack offers a mitigation rule to block attacks until the patch is applied. Given that this type of vulnerability is expected to be used in mass-exploit campaigns, prompt action is recommended [1].