CVE-2025-53294

Vulnerability

Analysis

The Smart Agenda plugin for WordPress, versions through 4.9, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw resides in the smart-agenda-prise-de-rendez-vous-en-ligne plugin and is classified as a Stored XSS vulnerability [1].

Attack

Vector and Exploitation

To exploit this vulnerability, an attacker must have at least contributor-level access to the WordPress site [1]. The attacker can inject malicious scripts into fields that are later displayed to other users, such as appointment data or other plugin-generated content. Successful exploitation requires the victim (an administrator or visitor) to interact with the crafted page, for example by viewing an appointment or clicking a link [1].

Impact

An attacker can inject arbitrary JavaScript or HTML payloads, which may result in redirects, unwanted advertisements, or theft of session cookies [1]. This could lead to further compromise of the affected site, including privilege escalation if an administrator's session is hijacked.

Mitigation

The vendor has released version 5.0, which fixes the vulnerability [1]. Users are strongly advised to update immediately. For those unable to update, Patchstack recommends enabling auto-updates or contacting their hosting provider for assistance [1].