CVE-2025-8392

The Mitfahrgelegenheit plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 1.1.5. The vulnerability exists because the plugin fails to properly sanitizes the 'date' parameter when it is stored in the database via the settings page, but fails to escape the value when it is output in the shortcode handler. Specifically, in the `bmf bmf_list() function, the date value retrieved from the database or shortcode attributes is directly concatenated into a JavaScript configuration string without any escaping [1].

An attacker with at least Contributor-level access can exploit this by injecting malicious JavaScript into the 'date' parameter through the plugin's settings or shortcode. The injected script is then stored and executed in the context of any user who views a page containing the Mitfahrgelegenheit shortcode. No additional authentication is required beyond the contributor role, and the attack does not require any special network position [1].

Successful exploitation allows the attacker to execute arbitrary web scripts in the browsers of users visiting the affected page. This can cause session hijacking, defacement, or redirection to malicious sites. The impact is limited to the WordPress site's user base, but since the script executes in the context of the victim's session, it can lead to privilege escalation if an administrator views the page [1].

The vendor has not released a patched version as of the publication date. Users are advised to mitigate the risk, site administrators should restrict the Contributor role's ability to use the Mitfahrgelegenheit shortcode or disable the plugin until a fix is available. The vulnerability has not been listed in CISA's Known Exploited Vulnerabilities catalog [1].