CVE-2025-9860
BaseFortify
Publication date: 2025-09-11
Last updated on: 2025-09-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | mixtape | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Mixtape plugin for WordPress is a Stored Cross-Site Scripting (XSS) issue. It occurs in the 'mixtape' shortcode in all versions up to and including 1.1. Due to insufficient input sanitization and output escaping on user-supplied attributes, authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages. These scripts execute whenever any user accesses the injected page, potentially compromising user interactions and data.
How can this vulnerability impact me? :
This vulnerability can allow attackers with contributor-level access to inject malicious scripts into WordPress pages via the Mixtape plugin's shortcode. When other users visit these pages, the injected scripts execute in their browsers, which can lead to theft of sensitive information, session hijacking, defacement, or other malicious actions. This compromises the security and integrity of the website and its users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can negatively impact compliance with standards like GDPR and HIPAA because it risks unauthorized access to personal or sensitive data through script injection. If exploited, it could lead to data breaches or unauthorized data processing, which are violations of these regulations' requirements for data protection and privacy.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by scanning WordPress sites for the presence of the Mixtape plugin version 1.1 or earlier and checking for usage of the 'mixtape' shortcode. Since the vulnerability involves stored Cross-Site Scripting via shortcode attributes, inspecting posts or pages containing the shortcode for suspicious or unexpected script tags or payloads can help detect exploitation. There are no specific commands provided in the resources, but general detection steps include: 1) Using WP-CLI to list installed plugins and their versions: `wp plugin list` 2) Searching posts for the shortcode usage via database queries, e.g., `SELECT ID, post_content FROM wp_posts WHERE post_content LIKE '%[mixtape%'` 3) Using web vulnerability scanners that detect stored XSS in WordPress plugins. 4) Monitoring HTTP responses for injected scripts in pages containing the shortcode. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Updating the Mixtape plugin to a version later than 1.1 where the vulnerability is fixed. 2) If an update is not available, temporarily disabling or removing the Mixtape plugin to prevent exploitation. 3) Restricting contributor-level and above users from adding or editing content with the 'mixtape' shortcode until the issue is resolved. 4) Implementing Web Application Firewall (WAF) rules to block malicious script injections via shortcode attributes. 5) Reviewing and sanitizing existing content that uses the 'mixtape' shortcode to remove any injected scripts. [1]