CVE-2025-11927
BaseFortify
Publication date: 2025-11-01
Last updated on: 2025-11-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | nazy-load | * |
| wordpress | flying_images | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11927 is a Stored Cross-Site Scripting (XSS) vulnerability in the Flying Images: Optimize and Lazy Load Images for Faster Page Speed WordPress plugin (versions up to 2.4.14). It occurs because the plugin does not properly sanitize and escape input in the admin settings, allowing authenticated users with administrator-level permissions to inject malicious scripts. These scripts then execute whenever any user accesses the affected pages. This vulnerability specifically affects multi-site WordPress installations or those where the unfiltered_html capability is disabled.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with administrator privileges to inject malicious JavaScript code into the website's pages. When other users visit these pages, the injected scripts execute in their browsers, potentially leading to theft of sensitive information, session hijacking, defacement, or further compromise of the site. Since it is a stored XSS, the malicious code persists on the site until removed, posing ongoing risk to users and site integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the WordPress site is running the Flying Images: Optimize and Lazy Load Images for Faster Page Speed plugin (nazy-load) version 2.4.14 or earlier on a multi-site installation or where unfiltered_html is disabled. Since the vulnerability is a stored XSS via admin settings, detection can include reviewing the admin settings for suspicious script injections, especially in the lazyload margin or related configuration fields. There are no specific network commands provided in the resources to detect exploitation. However, administrators can audit the plugin version and inspect the 'flying_images_margin' setting for non-integer or suspicious values. Additionally, monitoring HTTP responses for injected scripts in pages served by the plugin could help. No explicit commands are provided in the resources. [4, 1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the nazy-load plugin to version 2.4.15 or later, which contains the security fix for CVE-2025-11927. This update improves input validation by enforcing that the lazyload margin setting is a non-negative integer, preventing unsafe or malformed values that could lead to stored XSS. Additionally, ensure that only trusted administrators have access to the plugin settings, and consider enabling unfiltered_html only if necessary. Reviewing and sanitizing admin inputs and applying the latest plugin updates are critical to mitigating this vulnerability. [4]