CVE-2025-2839 identifies a stored Cross-Site Scripting (XSS) vulnerability in the WP Import Export Lite plugin for WordPress, specifically in the 'wpiePreviewData' function. This vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. The plugin fails to adequately sanitize and escape user-supplied input, allowing authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on their behalf. The vulnerability affects all plugin versions up to and including 3.9.27. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed due to the impact on other users viewing the injected content. No public exploits are currently known, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those allowing Contributor-level access to untrusted users. The lack of patches at the time of reporting necessitates immediate mitigation efforts.

This vulnerability can lead to unauthorized script execution within the context of affected WordPress sites, compromising confidentiality and integrity of user sessions and data. Attackers could steal cookies, perform actions on behalf of other users, or deface websites. Although availability impact is minimal, the reputational damage and potential data breaches can be significant. Organizations with multiple contributors or less restrictive access controls are at higher risk. Since WordPress powers a substantial portion of the web, and WP Import Export Lite is a popular plugin, the scope of affected systems is broad. Exploitation requires authentication but no further user interaction, facilitating insider threats or compromised contributor accounts. The vulnerability could be leveraged in targeted attacks against organizations relying on this plugin for data import/export operations, potentially leading to lateral movement or privilege escalation within the web application environment.

1. Immediately restrict Contributor-level access to trusted users only, minimizing the risk of malicious input injection. 2. Monitor and audit user-generated content for suspicious scripts or anomalies, especially in pages generated via the plugin. 3. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting the 'wpiePreviewData' function or related endpoints. 4. Apply manual input validation and output encoding in custom code interacting with the plugin if patches are unavailable. 5. Regularly update the WP Import Export Lite plugin once a security patch is released by the vendor. 6. Educate content contributors about safe input practices and the risks of injecting scripts. 7. Employ Content Security Policy (CSP) headers to restrict script execution sources, mitigating impact of injected scripts. 8. Backup website data frequently to enable recovery in case of compromise. These steps go beyond generic advice by focusing on access control, monitoring, and layered defenses specific to this plugin's vulnerability.