CVE-2025-5843

Root

Cause The Brandfolder WordPress plugin, in all versions up to and including 5.0.19, suffers from a Stored Cross-Site Scripting vulnerability. The flaw resides in insufficient input sanitization and output escaping of the id parameter, which is used in shortcodes like [Brandfolder id="..."] [1]. This allows malicious input to bypass filtering and be stored within the WordPress database.

Exploitation

To exploit this vulnerability, an attacker must have at least Contributor-level access to the WordPress site. The attacker injects a crafted payload into the id parameter of the Brandfolder shortcode when creating or editing a post or page. Once saved, the injected script is stored and will execute each time a user views the affected content [1]. Because the plugin relies on the Gutenberg editor and shortcode rendering, the malicious script becomes active on any page where the shortcode appears.

Impact

Successful exploitation results in arbitrary web script execution in the context of the victim's browser. This can lead to session hijacking, defacement, theft of sensitive tokens, or further privilege escalation within the WordPress admin. The stored nature of the XSS increases the reach, as any administrator, editor, or visitor encountering the compromised page may be affected [1].

Mitigation

As of the publication date (2025-07-16), a patched version has not been explicitly announced. Users are advised to restrict Contributor-level and higher access to trusted authors, and to consider disabling the Brandfolder plugin until an update is released. The vendor's support channels and the WordPress plugin directory should be monitored for security fixes [1].