CVE-2025-50022 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the WordPress plugin WP-FB-AutoConnect developed by justin_k. This plugin facilitates Facebook auto-login integration for WordPress sites. The vulnerability arises due to improper neutralization of user-supplied input during web page generation, allowing malicious scripts to be stored persistently within the plugin's data handling processes. When a victim visits a compromised page, the malicious script executes in their browser context. The vulnerability affects all versions of WP-FB-AutoConnect up to and including version 4.6.3. The CVSS v3.1 base score is 5.9 (medium severity), with vector AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L, indicating that the attack can be launched remotely over the network with low attack complexity but requires high privileges and user interaction. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. The impact includes limited confidentiality, integrity, and availability loss, typically associated with XSS attacks such as session hijacking, defacement, or redirection. No known exploits are currently reported in the wild, and no official patches have been linked yet. Stored XSS in a widely used WordPress plugin can be leveraged by attackers to target site administrators or users, potentially leading to account compromise or further exploitation within the affected web application environment.

For European organizations using WP-FB-AutoConnect, particularly those with high-privilege users managing WordPress sites, this vulnerability poses a risk of session hijacking, unauthorized actions, and data leakage through malicious script execution. Given the plugin’s role in Facebook auto-login, attackers could manipulate authentication flows or steal tokens, impacting user trust and compliance with data protection regulations such as GDPR. The scope change (S:C) means that exploitation could affect multiple users or components beyond the plugin itself, potentially leading to broader compromise of web infrastructure. Organizations in sectors with high reliance on WordPress for public-facing or internal portals—such as media, education, and SMEs—may face reputational damage and operational disruption. Although no active exploits are reported, the medium severity and ease of remote network access warrant proactive mitigation to prevent exploitation, especially in environments where users have elevated privileges and user interaction is common.

1. Immediate audit of all WordPress sites using WP-FB-AutoConnect to identify affected versions (up to 4.6.3). 2. Disable or remove the WP-FB-AutoConnect plugin until a security patch is released. 3. Implement strict Content Security Policy (CSP) headers to restrict script execution sources, mitigating impact of stored XSS payloads. 4. Enforce least privilege principles for WordPress user roles to reduce the risk posed by high privilege requirements for exploitation. 5. Conduct input validation and output encoding on all user-generated content within WordPress, especially where the plugin interacts with Facebook login data. 6. Monitor web server and application logs for unusual POST requests or suspicious script injections related to the plugin. 7. Educate administrators and users about the risks of clicking on suspicious links or interacting with untrusted content on affected sites. 8. Prepare to apply vendor patches promptly once available and subscribe to security advisories from the plugin developer and WordPress security channels. 9. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block typical XSS payloads targeting this plugin’s endpoints.