CVE-2025-3832

The FuseDesk plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability due to insufficient input sanitization and output escaping of the ‘successredirect’ parameter. This flaw exists in all versions up to and including 6.7, allowing untrusted data to be embedded within pages that are later rendered to users [1].

An authenticated attacker with at least Contributor-level access can exploit this by providing a crafted payload in the ‘successredirect’ parameter when creating or editing a page. The payload is stored on the server and executed in the browser of any user who subsequently views the affected page. No additional privileges or user interaction beyond page access is required for the exploit to trigger [1].

Successful exploitation enables the attacker to inject arbitrary web scripts, which can lead to session hijacking, credential theft, or defacement of the WordPress site. Since the scripts execute in the context of the victim’s session, the impact can be severe, particularly for administrative users [1].

The vulnerability has been addressed in version 6.7.1, released on April 23, 2025, which sanitizes redirect URLs to prevent XSS. Users are strongly advised to update to the latest version immediately. No workarounds are available for affected versions [1].