CVE-2025-9488

The Redux Framework plugin for WordPress, a popular options framework used by themes and plugins, is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to and including 4.5.8 [1]. The vulnerability resides in insufficient input sanitization and output escaping of the 'data' parameter, which allows an attacker to store malicious JavaScript code.

To exploit this vulnerability, an attacker must be authenticated with at least Contributor-level access. They can inject arbitrary web scripts via the 'data' parameter, which are then stored on the server. When any user, including administrators, views a page containing the injected data, the script executes in their browser.

The impact of successful exploitation includes the ability to execute arbitrary JavaScript in the context of the victim's session, potentially leading to session hijacking, defacement, or theft of sensitive information. Since the attack is stored, it can affect multiple users repeatedly without additional interaction from the attacker.

As of the publication date, no official patch has been released, but users are advised to immediately limit access to the plugin or apply any available updates beyond version 4.5.8 [1]. Since this vulnerability requires authentication and Contributor-level privileges, site administrators should review user roles and consider restricting Contributor access until a fix is applied.