CVE-2025-8720

Root

Cause The Plugin README Parser plugin for WordPress versions up to and including 1.3.15 contains a stored cross-site scripting vulnerability in the target parameter. The plugin reads and renders plugin README files but fails to properly sanitize the target input in the link generation function arp_display_links(), as seen in generate-output.php [1]. This allows arbitrary HTML and script injection into pages rendered by the shortcode.

Exploitation

An authenticated attacker with at least Contributor-level access can craft a README with a malicious target attribute. When the plugin processes this README and outputs it to a page, the injected script is stored and executes in the context of any user who visits that page. No elevated privileges beyond Contributor are required, making the attack accessible to any authenticated user who can submit content processed by the plugin.

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the browsers of visitors to the affected page. This can lead to session hijacking, defacement, theft of sensitive data, or distribution of malware. The vulnerability affects all installations that use the plugin to display README content on their sites.

Mitigation

The plugin was closed on August 14, 2025, and is no longer available for download due to this security issue [2]. Users should immediately replace the plugin with an alternative solution or remove it entirely from their WordPress sites, as no patched version exists.