CVE-2025-7959

Vulnerability

Overview

The Station Pro plugin for WordPress, versions up to and including 2.4.2, contains a Stored Cross-Site Scripting (XSS) vulnerability. The flaw stems from insufficient input sanitization and output escaping on the ‘width’ and ‘height’ parameters, allowing attackers to inject arbitrary web scripts [1].

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must be authenticated with at least Contributor-level access. The injected scripts are stored in pages and execute whenever a user accesses the compromised page. No additional privileges or network position beyond standard WordPress contributor access is required [1].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of any victim visiting the affected page. This can lead to data theft, session hijacking, or defacement. The plugin has been closed on the WordPress plugin directory as of July 22, 2025, due to this security issue [1].

Mitigation

As of the publication date, no patched version is available. The plugin is no longer available for download. Users are advised to remove or replace the plugin. There is no mention of this CVE being added to the Known Exploited Vulnerabilities (KEV) catalog at this time [1].