CVE-2025-28930

Vulnerability

The List Mixcloud plugin for WordPress versions up to and including 1.4 fails to properly neutralize user input during web page generation, leading to stored cross-site scripting (XSS) [1]. This issue occurs because the plugin does not sanitize or escape input before storing it in the database.

Exploitation

An attacker with at least contributor-level privileges can inject malicious HTML or JavaScript code via the plugin's input fields. The injected payload is then stored and executed when any user, including site administrators, visits the affected page. No additional user interaction is required for the payload to execute, but the attacker must first have authenticated access with sufficient privileges [1].

Impact

Successful exploitation allows an attacker to execute arbitrary scripts in the context of the victim's browser. This can be used to steal sensitive information such as session cookies, perform actions on behalf of the victim, or deface the website. The vulnerability is particularly dangerous in WordPress environments where multiple users have access [1].

Mitigation

The vendor has released a patch; users should update the List Mixcloud plugin to the latest available version. If immediate updating is not possible, consider disabling the plugin until a patch can be applied [1].