CVE-2025-8394

The Productive Style plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to 1.1.23. The vulnerability exists in the display_productive_breadcrumb shortcode, which fails to properly sanitize user-supplied attributes and escape output before rendering. This allows attackers to inject arbitrary web scripts that are stored and executed when other users access the affected page [1].

The attack requires authenticated access with at least contributor-level permissions. The shortcode is part of the plugin's breadcrumb functionality, and by crafting malicious attributes, an attacker can inject persistent JavaScript code. The vulnerability is due to insufficient input validation and output escaping in the shortcode handling, as seen in the plugin's code [2].

Successful exploitation allows the attacker to perform actions in the context of the victim user, such as stealing cookies, session tokens, or performing actions on behalf of the victim. This can lead to privilege escalation or defacement of the WordPress site. The stored nature of the XSS means that any user visiting the compromised page is affected.

The vulnerability has been patched in versions after 1.1.23. Users are strongly advised to update to the latest version of the plugin. No official workaround is available; updating is the recommended mitigation [1].