CVE-2025-53282

An attacker with low-privilege access (e.g., a Contributor or Author role) can inject malicious JavaScript into a field that the plugin stores and later renders on a page viewed by other users, including administrators [CWE-79]. The attack is network-based, requires no special network position, and relies on user interaction (e.g., an admin visiting the affected page) to trigger the payload. The CVSS vector confirms the attack complexity is low and the scope is changed, meaning the injected script can impact resources beyond the vulnerable component.

The advisory does not specify exact file paths or functions. The vulnerability exists in the Thumbnail Editor plugin for WordPress (versions ≤ 2.3.3) and involves improper neutralization of user-controllable input before it is placed in output served to other users, leading to stored cross-site scripting.

No patch is included in the bundle. The advisory does not provide a fix or remediation guidance beyond the general CWE description. To remediate, the plugin should sanitize and escape all user-controllable inputs before storing them and before rendering them in the admin or front-end pages, following WordPress's built-in escaping functions such as `esc_html()`, `esc_attr()`, and `wp_kses()`.