CVE-2025-8399

Vulnerability

The Mmm Unity Loader plugin for WordPress, in all versions up to and including 1.0, contains a stored cross-site scripting (XSS) vulnerability in its MmmUnityLoader shortcode. The plugin's LoadUnityPlayer function passes user-supplied attributes directly into a sprintf format string without sanitization or output escaping [1]. This allows an attacker to inject arbitrary HTML and JavaScript that is then rendered when the shortcode is processed.

Exploitation

An attacker must have at least Contributor-level access on the WordPress site to insert the vulnerable shortcode into a post or page. No additional privileges are required beyond that access level [1]. When any user visits the affected page, the injected script executes in their browser, making this a stored XSS attack that persists in the database until the content is removed.

Impact

Successful exploitation allows the attacker to execute arbitrary web scripts in the context of the victim's session. This can lead to session hijacking, site defacement, theft of sensitive information, or further compromise of the WordPress environment. Since the XSS is stored, every visitor to the injected page is affected until the malicious content is cleaned.

Mitigation

As of July 31, 2025, the Mmm Unity Loader plugin has been removed from the WordPress plugin directory due to this security issue [2]. No patched version is available. Site administrators should immediately delete the plugin from any installations that still have it active. No workarounds are provided.