CVE-2025-5490 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Football Pool plugin for WordPress developed by antoineh. The flaw exists in all versions up to and including 2.12.4 due to improper input sanitization and output escaping in the plugin's admin settings interface. This vulnerability allows authenticated users with administrator-level permissions or higher to inject arbitrary JavaScript code into pages generated by the plugin. The malicious scripts are stored persistently and executed whenever any user accesses the injected page, potentially leading to session hijacking, privilege escalation, or other malicious actions. The vulnerability specifically affects WordPress multisite installations or single-site installations where the unfiltered_html capability is disabled, limiting the attack surface. The CVSS 3.1 base score is 5.5, indicating medium severity, with an attack vector of network, low attack complexity, requiring high privileges, no user interaction, and a scope change due to affecting other users. No public exploits have been reported yet, but the vulnerability poses a risk in environments where multiple users access the affected pages. The lack of output escaping and input validation in admin settings is the root cause, making it possible for attackers to embed scripts that run in the context of other users' browsers.

The primary impact of CVE-2025-5490 is the potential compromise of confidentiality and integrity within affected WordPress multisite environments using the Football Pool plugin. An attacker with administrator privileges can inject malicious scripts that execute in the browsers of other users, potentially stealing session cookies, performing actions on behalf of users, or defacing content. Although availability is not directly impacted, the breach of trust and potential for privilege escalation can lead to broader security incidents. Organizations relying on multisite WordPress installations with this plugin are at risk of internal attacks by malicious administrators or compromised admin accounts. The vulnerability could facilitate lateral movement within an organization’s web infrastructure or lead to data leakage. Since exploitation requires high privileges, external attackers must first compromise an admin account, but insider threats or phishing attacks could enable this. The medium CVSS score reflects these factors, indicating a moderate but significant risk to organizations with affected configurations.

To mitigate CVE-2025-5490, organizations should immediately update the Football Pool plugin to a version beyond 2.12.4 once available, as the vendor is expected to release a patch addressing the input sanitization and output escaping issues. Until a patch is applied, administrators should restrict plugin access strictly to trusted personnel and review admin settings for suspicious scripts or content. Implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the plugin’s admin endpoints can reduce risk. Additionally, enabling Content Security Policy (CSP) headers can help limit the impact of injected scripts by restricting script execution sources. Regularly auditing multisite WordPress installations for unauthorized changes and monitoring logs for unusual admin activity is recommended. Disabling or limiting the use of the Football Pool plugin in multisite environments where unfiltered_html is disabled can also reduce exposure. Finally, educating administrators about the risks of XSS and enforcing strong authentication controls will help prevent privilege escalation leading to exploitation.