CVE-2025-5239 is a stored Cross-Site Scripting vulnerability identified in the Domain For Sale plugin for WordPress, developed by themeatelier. This vulnerability exists due to improper neutralization of input during web page generation, specifically via the 'class_name' parameter. Versions up to and including 3.0.10 fail to adequately sanitize and escape this parameter, allowing authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code. When a user accesses a page containing the injected script, it executes in their browser context, potentially compromising session tokens, redirecting users, or performing unauthorized actions on behalf of the victim. The vulnerability is classified under CWE-79 and has a CVSS v3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based with low attack complexity, requiring privileges of an authenticated contributor but no user interaction. The scope is changed as the vulnerability can affect other users viewing the injected content. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. This vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow user-generated content or parameters that are rendered on public-facing pages.

The impact of CVE-2025-5239 is significant for organizations running WordPress sites with the affected Domain For Sale plugin. Exploitation can lead to session hijacking, enabling attackers to impersonate users with elevated privileges, potentially leading to further site compromise. It can also facilitate phishing attacks, defacement, or distribution of malware through injected scripts. Since the vulnerability requires Contributor-level access, attackers may exploit compromised or weak contributor accounts to escalate their impact. The vulnerability affects the confidentiality and integrity of user sessions and data but does not directly impact availability. For organizations relying on this plugin for domain marketplace functionalities, exploitation could damage reputation and trust, especially if customer data or transactions are involved. The medium severity score reflects the balance between required privileges and the potential damage. However, in environments with many contributors or weak access controls, the risk is elevated. The lack of known exploits currently limits immediate widespread impact but does not reduce the urgency of remediation.

To mitigate CVE-2025-5239, organizations should first verify if they use the affected Domain For Sale plugin version 3.0.10 or earlier and plan immediate updates once a patch is released. In the absence of an official patch, restrict Contributor-level permissions to trusted users only, minimizing the risk of malicious script injection. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'class_name' parameter. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Conduct regular audits of user-generated content and plugin parameters for injected scripts. Additionally, harden WordPress security by enforcing strong authentication, monitoring user activities, and isolating critical administrative functions. Developers and site administrators should also consider sanitizing and escaping all inputs and outputs related to the plugin manually if possible, or temporarily disabling the plugin until a fix is available. Finally, educate contributors about the risks of injecting unsafe content and enforce strict content submission guidelines.