CVE-2025-7059

The Simple Featured Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 1.3.1. The vulnerability exists due to insufficient input sanitization and output escaping on the 'slideshow' parameter, allowing authenticated attackers to inject arbitrary web scripts that execute when a page containing the malicious input is accessed [1].

To exploit this vulnerability, an attacker must have at least Contributor-level access to the WordPress site. The attacker can craft a payload within the 'slideshow' parameter of the plugin's settings or shortcode, which is then stored and rendered unsanitized. This requires no additional privileges beyond the Contributor role, which is typically granted to trusted users but can be a target for compromise [1].

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of any user visiting the affected page. This can lead to session hijacking, defacement, or redirection to malicious sites. The plugin has been closed on the WordPress plugin repository as of July 7, 2025 due to this security issue [1]. Users are advised to remove the plugin immediately as no patch is available.