CVE-2025-47638

Vulnerability

Overview

The WP Discord Invite plugin for WordPress (versions up to and including 2.5.3) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This CWE-79 flaw enables an authenticated user to inject arbitrary JavaScript or HTML payloads that persist in the application, affecting subsequent visitors.

Exploitation

Details

Exploitation requires a privileged user who can submit or save data processed by the plugin. An attacker with contributor-level access or higher can inject malicious script content into fields that are later rendered without sanitization [1]. While the vulnerability demands some user interaction from the target (e.g., clicking a malicious link or visiting a crafted page), the stored nature means any site visitor may be impacted once the payload is saved [1].

Potential

Impact

Successful exploitation allows an attacker to execute arbitrary scripts in the context of the victim's browser session. This could be used to steal session cookies, perform actions on behalf of the authenticated user, deface the page, or inject unwanted advertisements and redirects [1]. The impact is generally limited to browser-level attacks within the WordPress site.

Mitigation and

Remediation

The vendor has released version 2.6.0 which addresses the vulnerability [1]. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer for temporary workarounds is recommended. Patchstack users can enable auto-updates for this plugin to ensure prompt patching [1].