CVE-2025-53280
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AntoineH Football Pool football-pool allows Stored XSS.This issue affects Football Pool: from n/a through <= 2.12.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in WordPress Football Pool plugin allows attackers to inject malicious scripts via improper input neutralization.
Vulnerability
Overview The Football Pool plugin for WordPress (versions up to and including 2.12.5) suffers from a Stored Cross-Site Scripting (XSS) vulnerability due to Improper Neutralization of Input During Web Page Generation [1]. This means user-supplied input is not properly sanitized before being stored and later displayed to other users, allowing arbitrary JavaScript or HTML to be embedded.
Exploitation
Conditions Exploitation requires a privileged user (e.g., an author or administrator) to interact with a crafted link or form; the attacker does not need direct access to the site. Once triggered, the malicious payload is stored on the server and executed whenever other users (including site visitors) access the affected page [1].
Impact
A successful attack can lead to the execution of arbitrary scripts in the context of the victim's browser. Common uses include redirecting users to malicious sites, displaying unauthorized advertisements, or stealing session cookies [1].
Mitigation
The vendor released version 2.12.6 which resolves the issue. Users are strongly advised to update immediately. For those unable to update, consulting a web developer or hosting provider is recommended [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.