CVE-2025-67545

Vulnerability

A stored cross-site affecting stored cross-site scripting (XSS) vulnerability exists in the FirePlugins FireBox plugin for WordPress, versions through 3.1.0-free [1]. The plugin improperly neutralizes user input during web page generation, allowing an attacker with contributor-level or higher privileges to inject arbitrary scripts into a page or post [1]. This stored XSS vulnerability means the injected code is permanently stored on the server and executed whenever a visitor loads the compromised page.

Exploitation

To exploit this vulnerability, an attacker must first gain a WordPress user account with at least Contributor role permissions [1]. The attacker then crafts a malicious payload (e.g., JavaScript) and embeds it in a FireBox-related input field or content. While user interaction (such as clicking a link) is required to initially inject the payload, subsequent visitors do not need to interact for the script execution happens automatically when the page renders [1]. The vulnerability does not require any additional authentication for the visitor to be impacted.

Impact

Successful exploitation allows the attacker to inject arbitrary HTML and JavaScript into the victim website [1]. This can be used to redirect visitors to malicious sites, display unwanted advertisements, steal session cookies, or perform other client-side attacks [1]. Because the payload is stored, every visitor to the affected page is at risk, making it suitable for mass-exploitation campaigns targeting many WordPress sites simultaneously.

Mitigation

The vulnerability has been addressed in version 3.1.1-free of the plugin [1]. Users are strongly recommended to update immediately. For sites that cannot update immediately, temporary workarounds include restricting contributor-level accounts or using Web Application Firewall (WAF) rules to block XSS vectors, though updating is the definitive fix. Patchstack users can enable auto-updates for this plugin to receive the patch automatically [1].