CVE-2025-49395

Vulnerability

Overview Themify Icons plugin for WordPress versions up to and including 2.0.3 suffers from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. The input handling fails to sanitize or escape the icon data, allowing malicious scripts to be stored and later executed in the context of other users' browsers.

Exploitation

Conditions The vulnerability is exploitable by authenticated users with at least contributor-level privileges, who can inject arbitrary JavaScript via the plugin's icon management interface. Successful exploitation requires an authenticated user to perform an action such as clicking a crafted link or submitting a form, leading to the persistent injection. The stored script is triggered when other users (including administrators) view the affected pages [1].

Impact

An attacker can embed malicious scripts that execute in the browsers of site visitors, enabling actions such as session hijacking, defacement, redirection to phishing sites, or injection of advertisements. A CVSS v3 base score of 6.5 indicates medium severity, reflecting the need for authenticated access and user interaction but the potential for wide-reaching damage in mass exploitation campaigns [1].

Mitigation

The vendor has released version 2.0.4 which resolves the issue by properly sanitizing icon inputs. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. As a temporary workaround, restrict contributor-level accounts and review icon submissions [1].