CVE-2025-5699: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in gsaraiva Developer Formatter
The Developer Formatter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS in all versions up to, and including, 2015.0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
AI Analysis
Technical Summary
CVE-2025-5699 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Developer Formatter plugin for WordPress, developed by gsaraiva. This vulnerability affects all versions up to and including 2015.0.2.1. The root cause is improper neutralization of input during web page generation (CWE-79), specifically due to insufficient input sanitization and output escaping of the Custom CSS feature. An authenticated attacker with administrator-level privileges can exploit this vulnerability in multi-site WordPress installations or installations where the 'unfiltered_html' capability is disabled. By injecting malicious scripts into the Custom CSS, the attacker can cause arbitrary JavaScript code to execute in the context of any user who accesses the compromised page. This can lead to session hijacking, privilege escalation, or other malicious activities. The vulnerability has a CVSS 3.1 base score of 5.5 (medium severity), with an attack vector of network (remote), low attack complexity, requiring high privileges, no user interaction, and a scope change. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is specific to multi-site WordPress environments or those with restricted HTML filtering, limiting its scope somewhat but still posing a significant risk in those contexts.
Potential Impact
For European organizations, this vulnerability poses a moderate risk primarily to those using WordPress multi-site installations with the Developer Formatter plugin installed and configured with restricted HTML capabilities. Exploitation could allow attackers with admin access to inject persistent malicious scripts, potentially compromising the confidentiality and integrity of user sessions and data. This could lead to unauthorized actions performed on behalf of users, data theft, or defacement of websites. Given the widespread use of WordPress across European businesses, especially in sectors like media, education, and government, the impact could be substantial if exploited. However, the requirement for administrator-level access and specific configuration reduces the likelihood of widespread exploitation. Still, organizations with multi-site WordPress deployments should consider this a significant risk, particularly if they host sensitive or high-profile content.
Mitigation Recommendations
European organizations should take the following specific steps: 1) Immediately audit WordPress installations to identify the presence of the Developer Formatter plugin and verify if it is used in multi-site configurations or with 'unfiltered_html' disabled. 2) Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 3) Until an official patch is released, consider disabling or removing the Developer Formatter plugin in affected environments, especially in multi-site setups. 4) Implement Content Security Policy (CSP) headers to limit the impact of potential XSS by restricting the sources of executable scripts. 5) Monitor logs and user activity for unusual behavior that might indicate exploitation attempts. 6) Educate administrators on the risks of injecting custom CSS and the importance of input validation. 7) Regularly update WordPress core and plugins to incorporate security fixes promptly once available.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-5699: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in gsaraiva Developer Formatter
Description
The Developer Formatter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS in all versions up to, and including, 2015.0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
AI-Powered Analysis
Technical Analysis
CVE-2025-5699 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Developer Formatter plugin for WordPress, developed by gsaraiva. This vulnerability affects all versions up to and including 2015.0.2.1. The root cause is improper neutralization of input during web page generation (CWE-79), specifically due to insufficient input sanitization and output escaping of the Custom CSS feature. An authenticated attacker with administrator-level privileges can exploit this vulnerability in multi-site WordPress installations or installations where the 'unfiltered_html' capability is disabled. By injecting malicious scripts into the Custom CSS, the attacker can cause arbitrary JavaScript code to execute in the context of any user who accesses the compromised page. This can lead to session hijacking, privilege escalation, or other malicious activities. The vulnerability has a CVSS 3.1 base score of 5.5 (medium severity), with an attack vector of network (remote), low attack complexity, requiring high privileges, no user interaction, and a scope change. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is specific to multi-site WordPress environments or those with restricted HTML filtering, limiting its scope somewhat but still posing a significant risk in those contexts.
Potential Impact
For European organizations, this vulnerability poses a moderate risk primarily to those using WordPress multi-site installations with the Developer Formatter plugin installed and configured with restricted HTML capabilities. Exploitation could allow attackers with admin access to inject persistent malicious scripts, potentially compromising the confidentiality and integrity of user sessions and data. This could lead to unauthorized actions performed on behalf of users, data theft, or defacement of websites. Given the widespread use of WordPress across European businesses, especially in sectors like media, education, and government, the impact could be substantial if exploited. However, the requirement for administrator-level access and specific configuration reduces the likelihood of widespread exploitation. Still, organizations with multi-site WordPress deployments should consider this a significant risk, particularly if they host sensitive or high-profile content.
Mitigation Recommendations
European organizations should take the following specific steps: 1) Immediately audit WordPress installations to identify the presence of the Developer Formatter plugin and verify if it is used in multi-site configurations or with 'unfiltered_html' disabled. 2) Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 3) Until an official patch is released, consider disabling or removing the Developer Formatter plugin in affected environments, especially in multi-site setups. 4) Implement Content Security Policy (CSP) headers to limit the impact of potential XSS by restricting the sources of executable scripts. 5) Monitor logs and user activity for unusual behavior that might indicate exploitation attempts. 6) Educate administrators on the risks of injecting custom CSS and the importance of input validation. 7) Regularly update WordPress core and plugins to incorporate security fixes promptly once available.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-06-04T20:37:32.506Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68429199182aa0cae20492f8
Added to database: 6/6/2025, 6:58:33 AM
Last enriched: 7/7/2025, 5:42:44 PM
Last updated: 8/17/2025, 10:49:56 AM
Views: 19
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.