CVE-2025-64220

Vulnerability

Overview CVE-2025-64220 is a Stored Cross-Site Scripting (XSS) vulnerability in the Rey Core WordPress plugin (rey-core) versions up to and including 3.1.8. The root cause is improper neutralization of user-supplied input during web page generation, allowing malicious scripts to be stored and later executed in the context of a visitor's browser [1].

Exploitation

Prerequisites Exploitation requires an authenticated user with at least contributor-level privileges to inject the payload. The attack is considered low complexity but requires user interaction — a privileged user must perform an action such as clicking a malicious link or submitting a crafted form to trigger the stored script [1].

Impact

Successful exploitation enables an attacker to inject arbitrary HTML and JavaScript, leading to actions such as redirecting visitors to malicious sites, displaying unauthorized advertisements, or stealing session cookies. This could compromise the integrity and trustworthiness of the affected WordPress site [1].

Mitigation

The vendor has released version 3.1.9 which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, enabling auto-updates for vulnerable plugins via Patchstack or consulting a hosting provider is recommended [1].