Can you explain this vulnerability to me?

The vulnerability in the Domain For Sale WordPress plugin (up to version 3.0.10) is a Stored Cross-Site Scripting (XSS) issue via the 'class_name' parameter. This happens because the plugin does not properly sanitize or escape input for this parameter. As a result, an authenticated attacker with Contributor-level access or higher can inject malicious scripts into pages. These scripts will execute whenever any user views the infected page, potentially compromising user data or site integrity.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can allow attackers with Contributor-level access to inject arbitrary JavaScript code into the website's pages. When other users visit these pages, the malicious scripts execute in their browsers, which can lead to theft of sensitive information (like cookies or session tokens), unauthorized actions on behalf of users, defacement, or distribution of malware. It compromises the security and trustworthiness of the affected website.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate the vulnerability CVE-2025-5239 in the Domain For Sale WordPress plugin, you should immediately update the plugin to version 3.0.11 or later, as the vulnerability affects all versions up to and including 3.0.10. Additionally, restrict Contributor-level access to trusted users only, as the exploit requires authenticated Contributor-level access or higher. Consider reviewing and sanitizing any user inputs related to the 'class_name' parameter and monitor your site for any suspicious script injections. [2]

Useful 0 Not Useful 0