CVE-2025-53336

Vulnerability

CVE-2025-53336 is a stored cross-site scripting (XSS) vulnerability in the WordPress plugin My Resume Builder by abditsori, affecting versions up to and including 1.0.3 [1]. The flaw originates from improper neutralization of user-supplied input during web page generation, meaning the plugin fails to sanitize or escape data before rendering it in a user's browser [1].

Exploitation

Attackers with sufficient privileges (such as a contributor or author role) can inject malicious scripts into fields that are later stored and displayed to other users [1]. Successful exploitation requires a privileged user to perform an action—such as clicking a crafted link or submitting a form—that triggers the payload [1]. The attack is stored on the server, so the script executes every time a victim visits the affected page.

Impact

An attacker can inject arbitrary HTML and JavaScript, leading to session hijacking, forced redirects to phishing or malware sites, site defacement, or theft of sensitive data [1]. Because this is a stored XSS, the impact extends to every visitor of the compromised page, not just the initial target.

Mitigation

The vendor has released a patch; users must update to version 1.0.4 or later immediately [1]. If updating is not possible, site administrators should consider disabling the plugin or implementing a web application firewall (WAF) as a temporary workaround [1].