CVE-2025-6256
Description
The Flex Guten plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘thumbnailHoverEffect’ parameter in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Flex Guten plugin via thumbnailHoverEffect parameter allows authenticated attackers with Contributor access to inject arbitrary scripts.
Vulnerability
Overview
The Flex Guten plugin for WordPress, versions up to and including 1.2.5, contains a stored Cross-Site Scripting (XSS) vulnerability in the 'thumbnailHoverEffect' parameter. The vulnerability arises from insufficient input sanitization and output escaping, allowing malicious input to be stored and later rendered unsafely in pages.
Exploitation
Prerequisites
An attacker must be an authenticated WordPress user with at least Contributor-level access. No further privileges are required. The attacker injects arbitrary web scripts into the 'thumbnailHoverEffect' parameter, which are then stored and executed when any user visits the affected page.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive information. The stored XSS persists until the injected content is removed or the plugin is updated.
Mitigation
The vulnerability has been patched in version 1.2.6 of the plugin, as indicated in the changelog [1]. Users are strongly advised to update to version 1.2.6 or later to eliminate the risk.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=1.2.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.