CVE-2025-25142 identifies a stored cross-site scripting (XSS) vulnerability in the WP Less Compiler plugin developed by The Jake Group for WordPress. The vulnerability stems from improper neutralization of user-supplied input during web page generation, allowing malicious scripts to be stored persistently within the application. When a victim accesses the compromised page, the injected script executes in their browser context, potentially leading to session hijacking, credential theft, unauthorized actions, or site defacement. The affected versions include all releases up to and including version 1.3.0. The vulnerability does not require authentication or user interaction beyond visiting the affected page, increasing its risk profile. No CVSS score has been assigned yet, and no public exploits have been reported. The vulnerability was reserved in early February 2025 and published in March 2025. The lack of patches at the time of publication necessitates immediate attention from administrators. Stored XSS vulnerabilities are particularly dangerous in WordPress environments due to the platform's widespread use and the potential for attackers to leverage compromised sites for further attacks or malware distribution.

The impact of CVE-2025-25142 can be significant for organizations using the WP Less Compiler plugin on WordPress sites. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of users visiting the affected site, potentially leading to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and defacement of web content. This can damage organizational reputation, lead to data breaches, and facilitate further attacks such as phishing or malware distribution. Since WordPress powers a large portion of websites globally, including many business and government sites, the scope of affected systems is broad. The vulnerability's ease of exploitation without authentication or complex prerequisites increases the likelihood of attacks. Organizations with high-privilege users accessing the site are at greater risk. Additionally, compromised sites can be used as a launchpad for attacks against visitors, amplifying the threat beyond the initial target.

To mitigate CVE-2025-25142, organizations should take the following specific actions: 1) Monitor official channels from The Jake Group for patches or updates addressing this vulnerability and apply them immediately upon release. 2) In the interim, restrict or sanitize all user inputs that interact with the WP Less Compiler plugin, especially those that influence web page generation. 3) Implement a robust Content Security Policy (CSP) to limit the execution of unauthorized scripts and reduce the impact of potential XSS payloads. 4) Conduct thorough code reviews and input validation audits on the plugin's integration points within the WordPress environment. 5) Limit administrative access and enforce the principle of least privilege to reduce the risk posed by compromised accounts. 6) Employ web application firewalls (WAFs) with rules targeting XSS attack patterns to detect and block malicious requests. 7) Educate site administrators and users about the risks of XSS and encourage vigilance regarding suspicious site behavior. 8) Regularly back up website data to enable quick restoration in case of compromise.