CVE-2025-60144

Vulnerability

Overview

The Lenix SCSS Compiler WordPress plugin (lenix-scss-compiler) versions through 1.2 contain a Stored Cross-Site Scripting (XSS) vulnerability. This stems from improper neutralization of user input during web page generation, allowing malicious scripts to be permanently stored on the server [1].

Exploitation

Conditions

The vulnerability requires at least contributor-level user privileges. Exploitation also requires user interaction, such as clicking a malicious link or visiting a crafted page [1]. Attackers can inject arbitrary HTML and JavaScript payloads, which are then executed when other users (including site visitors) access the affected page.

Impact

Successful exploitation enables an attacker to inject redirects, advertisements, or other HTML payloads into the website. These scripts execute in the context of visitors' browsers, potentially leading to defacement, credential theft, or malware distribution [1].

Mitigation

The vendor has not released a patched version for this vulnerability. Since the plugin's last update was version 1.2, users should assume it is end-of-life and consider disabling or removing the plugin immediately. The Patchstack advisory notes that such vulnerabilities are used in mass-exploit campaigns against thousands of websites [1].