CVE-2025-47617

Vulnerability

Overview The WP Front User Submit / Front Editor plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows attackers to inject arbitrary HTML and JavaScript code that is stored on the server and later executed in the browsers of visitors.

Exploitation

Details An attacker with at least contributor-level privileges can inject malicious payloads through the plugin's submission forms. Successful exploitation requires a privileged user to perform an action such as clicking a malicious link or submitting a crafted form [1]. The vulnerability is particularly dangerous because it can be used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity.

Impact

If exploited, an attacker can execute arbitrary scripts in the context of the victim's browser, leading to session hijacking, redirection to malicious sites, defacement, or theft of sensitive information [1]. The CVSS score of 5.9 (Medium) reflects the need for user interaction and authenticated access, but the potential for widespread abuse is significant.

Mitigation

The vendor has not yet released a patch for versions up to 5.0.6. Users are strongly advised to update the plugin as soon as a fix becomes available. If immediate updating is not possible, consider disabling the plugin or implementing a web application firewall (WAF) to block malicious input [1].