CVE-2025-63066

Vulnerability

Overview

The Porto Theme - Functionality WordPress plugin (porto-functionality) versions before 3.7.3 contain a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw enables authenticated users with sufficient privileges to inject arbitrary JavaScript or HTML into pages that will be executed when visited by other users will execute the malicious payload [1].

Exploitation

Details

Exploitation requires a privileged user role such as an administrator or editor to submit crafted input through the plugin's functionality. The attacker does not need direct interaction from a victim administrator but the injected script will execute when any user including site visitors loads the affected page. The vulnerability is classified as Stored XSS meaning the payload persists in the database and affects all subsequent visitors [1].

Impact

A successful attack allows the injection of malicious scripts that can perform actions such as redirecting users to attacker-controlled sites displaying advertisements or stealing session cookies. This can lead to further compromise of the WordPress site including privilege escalation or defacement. The CVSS v3 score is 6.5 (Medium) reflecting the need for authenticated access but the potential for widespread harm [1].

Mitigation

The vendor has released version 3.7.3 which fixes the vulnerability. Users are strongly advised to update immediately. For those unable to update a temporary workaround may involve restricting access to the plugin's functionality or applying a web application firewall rule. Patchstack users can enable auto-updates for vulnerable plugins [1].