CVE-2025-9333

What the vulnerability is

The Smart Docs plugin for WordPress, in all versions up to and including 1.1.1, contains a stored cross-site scripting (XSS) vulnerability. The root cause is insufficient input sanitization and output escaping in the plugin's admin settings. This allows malicious script code to be stored in the system and later executed in the context of a user's browser when they access a page containing the injected payload [1].

How it's exploited

The attack requires authenticated access with administrator-level permissions or higher. Successful exploitation is limited to two specific WordPress configurations: multisite installations, or any sites, or single-site installations where the unfiltered_html capability has been explicitly disabled. The attacker can inject arbitrary web scripts through the vulnerable admin settings fields, and the scripts will be stored and execute for any user who subsequently views the affected page [1].

Impact

An attacker who successfully exploits this vulnerability can inject arbitrary JavaScript code that executes in the context of the victim's browser session. This could lead to session hijacking, credential theft, redirection to malicious sites, or other client-side attacks. The stored nature of the XSS means the malicious script runs automatically for every visitor, including other administrators, if they access the compromised page [1].

Mitigation status

As of the publication date (2025-10-03), no patched version has been released; all versions up to and including 1.1.1 are affected. The vendor has been notified. Users on multi-site networks or installations with unfiltered_html disabled should either restrict admin access to only trusted users or apply strict workarounds (e.g., disabling the plugin's admin settings fields via custom code) until an update is available [1].