CVE-2025-10580
BaseFortify
Publication date: 2025-10-25
Last updated on: 2025-10-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpres | widget_options | 4.1.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-10580 is a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin 'Widget Options' up to version 4.1.2. It occurs because the plugin does not properly sanitize and escape user inputs related to widget classes and IDs. This allows authenticated users with Contributor-level access or higher to inject malicious scripts into widget options, which then execute whenever any user views the affected page. The vulnerability was fixed in version 4.1.3 by applying proper sanitization functions to user inputs to prevent script injection. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with Contributor-level access or higher to inject malicious JavaScript into pages via widget options. When other users visit these pages, the injected scripts execute in their browsers, potentially leading to theft of user credentials, session hijacking, defacement, or other malicious actions. This compromises the security and integrity of the affected WordPress site and its users. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking the version of the Widget Options plugin installed on your WordPress site. Versions up to and including 4.1.2 are vulnerable. To detect the plugin version, you can use WP-CLI commands such as `wp plugin list` to list installed plugins and their versions. Additionally, inspecting widget options or pages for suspicious or unexpected script injections in widget areas may indicate exploitation attempts. There are no specific network commands provided for detection in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Widget Options plugin to version 4.1.3 or later, where the vulnerability has been fixed by enhancing input sanitization and output escaping. This update prevents stored cross-site scripting by sanitizing widget IDs and classes. Until the update is applied, restrict Contributor-level access if possible to reduce risk. [1]