CVE-2025-5699 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Developer Formatter plugin for WordPress, maintained by gsaraiva. This vulnerability exists in all versions up to and including 2015.0.2.1 and specifically affects multi-site WordPress installations where the unfiltered_html capability is disabled. The root cause is insufficient sanitization and escaping of user input in the Custom CSS feature, which allows authenticated users with administrator-level privileges to inject arbitrary JavaScript code into pages. Because the injected scripts are stored persistently, they execute automatically whenever any user visits the affected page, potentially compromising user sessions, stealing credentials, or performing unauthorized actions on behalf of users. The vulnerability requires administrator-level authentication, limiting exploitation to trusted users or attackers who have already compromised an admin account. The CVSS 3.1 score of 5.5 reflects a medium severity, with network attack vector, low attack complexity, and no user interaction required. The vulnerability impacts confidentiality and integrity but does not affect availability. No public exploits have been reported yet, but the vulnerability's presence in a widely used CMS plugin and the potential for privilege escalation make it a significant concern for affected WordPress multi-site environments.

The primary impact of CVE-2025-5699 is the potential for stored XSS attacks within multi-site WordPress installations using the Developer Formatter plugin. Successful exploitation allows an attacker with administrator privileges to inject malicious scripts that execute in the browsers of users visiting the compromised pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and potential further compromise of the WordPress environment. Although exploitation requires admin-level access, the vulnerability can facilitate lateral movement or privilege escalation if an attacker gains initial foothold. The scope is limited to multi-site installations with unfiltered_html disabled, but given WordPress's widespread use in enterprises, educational institutions, and government websites, the impact can be significant. The vulnerability does not affect system availability but compromises confidentiality and integrity of user data and site content.

To mitigate CVE-2025-5699, organizations should first verify if they are running multi-site WordPress installations with the Developer Formatter plugin version 2015.0.2.1 or earlier. Immediate steps include: 1) Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as MFA to reduce risk of credential compromise. 2) Disable or limit the use of the Custom CSS feature within the plugin if possible until a patch is available. 3) Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4) Monitor and audit administrator activities for suspicious changes to CSS or page content. 5) Regularly update WordPress plugins and core to the latest versions once a patch or update addressing this vulnerability is released. 6) Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block malicious script injections targeting this plugin. 7) Educate administrators on the risks of stored XSS and safe content management practices. Since no patch links are currently available, close coordination with the plugin vendor or community for updates is essential.