CVE-2025-9488
Stored XSS in Redux Framework Plugin Allows Script Injection
Publication date: 2025-12-13
Last updated on: 2025-12-13
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redux | framework | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Redux Framework WordPress plugin is installed and running a version up to and including 4.5.8. Since the vulnerability involves stored Cross-Site Scripting via the 'data' parameter in shortcodes, you can scan your WordPress site for usage of Redux Framework shortcodes, especially those that accept the 'data' parameter. Additionally, inspecting pages or posts for suspicious injected scripts in shortcode outputs may help detect exploitation. There are no specific commands provided in the resources, but you can use WP-CLI commands to list plugin versions, for example: `wp plugin list --status=active` to check the Redux Framework version. Also, searching the database for suspicious shortcode usage or script tags in post content can be done via SQL queries. However, no explicit detection commands are provided in the resources. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the Redux Framework WordPress plugin to version 4.5.9 or later, as version 4.5.9 addresses multiple issues and improves compatibility, including security fixes related to deprecated files and conflicts. Since the vulnerability exists in all versions up to and including 4.5.8, upgrading to 4.5.9 removes the vulnerable code. Additionally, ensure that only trusted users have Contributor-level access or higher, as the vulnerability requires authenticated users with such privileges to exploit. Monitoring and restricting user permissions can reduce risk until the update is applied. [1, 2]
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Redux Framework plugin for WordPress. It occurs via the 'data' parameter in all versions up to and including 4.5.8 because the plugin does not properly sanitize input or escape output. Authenticated users with Contributor-level access or higher can inject malicious scripts that will execute whenever any user views the affected page.
How can this vulnerability impact me? :
This vulnerability can allow attackers with Contributor-level access to inject malicious scripts into pages, which will execute in the browsers of users who visit those pages. This can lead to theft of user credentials, session hijacking, defacement, or other malicious actions performed on behalf of the victim user.