CVE-2025-67541

Vulnerability

Overview

The WP-ShowHide plugin for WordPress, versions up to and including 1.05, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This vulnerability arises because the plugin fails to sanitize or escape user-supplied data before storing it, allowing the injection of arbitrary HTML and JavaScript [1].

Exploitation

Prerequisites

Exploitation requires a privileged user role (such as an administrator) to be able to store the malicious payload within the plugin's functionality [1]. The attacker does not need to trick the site owner directly; however, any visitor or user who interacts with the affected page may trigger the injected script [1]. This type of flaw is commonly targeted in mass-exploit campaigns because it can affect many websites regardless of their size or popularity [1].

Impact

A successful exploit allows an attacker to inject malicious scripts, such as redirects, advertisements, and other HTML payloads, into the website [1]. These scripts execute in the context of the victim's browser when they visit the compromised page, potentially leading to session hijacking, defacement, or further compromise [1].

Mitigation

The vendor has released version 1.06 which resolves the vulnerability [1]. Users are strongly advised to update the plugin immediately [1]. Patchstack users can enable auto-updates for vulnerable plugins [1]. If updating is not possible, contacting a hosting provider or developer for assistance is recommended [1].