CVE-2025-69008

Root

Cause The vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Inboxify Sign Up Form plugin for WordPress, versions through 1.0.4 [1]. Improper neutralization of user input during web page generation allows an attacker to store arbitrary JavaScript or HTML payloads within the plugin's form data, which are later executed unsuspectingly in the context of a visitor's browser.

Exploitation

Exploitation requires a user with contributor-level privileges or higher to inject malicious code via the plugin's input fields [1]. While user interaction (e.g., clicking a link or visiting a crafted page) is needed to initiate the attack, the stored payload persists and affects any visitor who views the page containing the infected form.

Impact

Successful exploitation can lead to a wide range of malicious outcomes, including redirection to phishing or malware sites, injection of advertisements, defacement, or theft of session tokens and other sensitive data [1]. The vulnerability's CVSS v3 base score of 5.9 reflects a medium severity, and it is known to be used in mass-exploit campaigns targeting countless websites regardless of size or popularity.

Mitigation

The plugin vendor has not yet released a patch, and the vulnerability remains unpatched in all versions up to 1.0.4 [1]. As an immediate action, users are advised to update the plugin once a fix becomes available [1]. If updating is not possible, requesting assistance from a hosting provider or web developer is recommended. The vulnerability is actively monitored and cataloged by Patchstack.