CVE-2025-2874 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the WordPress plugin 'User Submitted Posts – Enable Users to Submit Posts from the Front End' developed by specialk. This vulnerability affects all plugin versions up to and including 20240319. The root cause is insufficient sanitization of user input and inadequate output escaping in the plugin's admin settings functionality. Specifically, in multi-site WordPress installations where the 'unfiltered_html' capability is disabled, authenticated users with administrator-level permissions or higher can inject arbitrary JavaScript code into posts or pages via the plugin's front-end post submission feature. When other users visit these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, data theft, or unauthorized actions performed on behalf of the victim. The vulnerability requires authenticated access with high privileges, making exploitation more complex and limiting the attack surface. The CVSS v3.1 base score is 4.4, indicating medium severity, with attack vector network, high attack complexity, high privileges required, no user interaction, and a scope change. No public exploits have been reported yet. The vulnerability is particularly relevant for WordPress multi-site environments using this plugin, which are common in organizations managing multiple sites under a single installation.

The impact of CVE-2025-2874 is primarily on the confidentiality and integrity of affected WordPress multi-site environments. Successful exploitation allows an attacker with administrator-level access to inject persistent malicious scripts that execute in the context of other users visiting the compromised pages. This can lead to theft of sensitive information such as authentication cookies, enabling session hijacking, unauthorized actions performed with victim privileges, and potential further compromise of the site or network. Although availability is not directly affected, the injected scripts could be used to deliver malware or redirect users to malicious sites, indirectly impacting user trust and site reputation. The requirement for high privileges limits the threat to insiders or compromised administrator accounts, but the multi-site context increases the potential scope of impact across multiple sites managed under the same installation. Organizations relying on this plugin in multi-site setups face risks of data leakage, unauthorized administrative actions, and reputational damage if the vulnerability is exploited.

To mitigate CVE-2025-2874, organizations should immediately update the 'User Submitted Posts – Enable Users to Submit Posts from the Front End' plugin to a version where the vulnerability is patched once available. Until a patch is released, administrators should restrict plugin usage to trusted users only and audit administrator accounts to prevent unauthorized access. Disabling the plugin in multi-site environments or limiting its functionality can reduce exposure. Additionally, enabling the 'unfiltered_html' capability cautiously or reviewing the configuration to ensure it aligns with security policies may help mitigate risk. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injection attempts can provide temporary protection. Regularly monitoring logs for unusual administrator activity and scanning for injected scripts on pages can help detect exploitation attempts early. Finally, educating administrators about the risks of XSS and enforcing strong authentication controls reduces the likelihood of privilege misuse.