CVE-2025-8902
BaseFortify
Publication date: 2025-09-23
Last updated on: 2025-09-24
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| widget_options | widget_options | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8902 is a security vulnerability in the Widget Options - Extended plugin for WordPress, specifically a Stored Cross-Site Scripting (XSS) flaw. It occurs due to insufficient input sanitization and output escaping on user-supplied attributes in the 'do_sidebar' shortcode. This allows authenticated attackers with contributor-level access or higher to inject malicious scripts that execute whenever a user views the affected page. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers with contributor-level access to inject arbitrary web scripts into pages, which execute in the context of users visiting those pages. This can lead to theft of user credentials, session hijacking, defacement, or other malicious actions performed on behalf of the user, potentially compromising site security and user data. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking the version of the Widget Options plugin installed on your WordPress site. Versions up to and including 5.2.1 are vulnerable. You can detect the plugin version via WordPress admin dashboard or by running commands to check the plugin version in the WordPress installation directory. For example, use: `wp plugin list --format=json` (if WP-CLI is installed) to list plugin versions. Additionally, scanning for suspicious stored scripts in pages using the 'do_sidebar' shortcode may help identify exploitation attempts. However, no specific commands for direct detection of the vulnerability are provided. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Widget Options plugin to version 5.2.2 or later, as this version includes fixes for the stored cross-site scripting vulnerability by sanitizing input and validating PHP code. Additionally, restrict contributor-level access and above to trusted users only, as the vulnerability requires authenticated access. Monitoring and applying all security updates promptly is recommended. [1]