CVE-2025-6261

The Fleetwire Fleet Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to and including 1.0.19. The vulnerability exists in the fleetwire_list shortcode, where user-supplied attributes are not properly sanitized or escaped before being output. This allows attackers to inject arbitrary HTML and JavaScript code into pages that include the shortcode [1].

Exploitation requires an authenticated user with at least contributor-level access. The injected script is stored in the page and executed whenever any user visits the affected page. No other special privileges or network access are needed beyond the ability to create or edit posts with shortcodes [1].

Successful exploitation enables an attacker to execute arbitrary web scripts in the context of the victim's browser. Potential impact includes session hijacking, defacement, redirection to malicious sites, or theft of sensitive information. The attack can target site administrators, leading to full compromise of the WordPress installation [1].

As of the publication date, the vulnerability remains unpatched in version 1.0.19 and earlier. Users are advised to update to the latest version of the plugin if a patched version becomes available. Until then, limiting contributor-level access and reviewing shortcode usage may reduce risk [1].