CVE-2025-6681

The Fan Page plugin for WordPress versions up to 1.0.1 contain a stored cross-site scripting (XSS) vulnerability due to insufficient input sanitization and output escaping of the 'width' parameter. This flaw enables authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into plugin pages.

Exploitation requires an attacker to have at least Contributor permissions on a WordPress site. By supplying a malicious payload in the 'width' parameter, the injected script is stored and executed whenever any user accesses the affected page. No additional privileges or network position are needed beyond Contributor access.

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of a victim's browser. This can lead to session hijacking, defacement, or theft of sensitive information such as login credentials or personal data [1].

The plugin has been closed as of July 25, 2025, and is no longer available for download. Users are strongly advised to remove the plugin from their installation and seek alternatives to eliminate the risk [1].