CVE-2025-5841 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability affecting the ACF Onyx Poll plugin for WordPress, developed by andremacola. This vulnerability exists in all versions up to and including 1.1.9 due to improper neutralization of input during web page generation, specifically via the 'class' parameter. The root cause is insufficient input sanitization and output escaping, which allows authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or other malicious actions. The vulnerability requires no user interaction beyond visiting the injected page and does not require higher privileges than Contributor, making it relatively accessible to attackers who have some level of authenticated access. The CVSS v3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required at the Contributor level, no user interaction, and a scope change due to the impact extending beyond the vulnerable component. The impact affects confidentiality and integrity but not availability. No known exploits are reported in the wild as of the publication date (June 13, 2025), and no official patches have been linked yet. The vulnerability is categorized under CWE-79, which is a common and well-understood web application security issue related to improper input validation and output encoding in dynamic web content generation.

For European organizations, this vulnerability poses a significant risk primarily to websites using WordPress with the ACF Onyx Poll plugin installed. Since WordPress is widely used across Europe for corporate, governmental, and small-to-medium enterprise websites, the potential for exploitation exists wherever this plugin is deployed. An attacker with Contributor-level access could inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to theft of authentication cookies, unauthorized actions on behalf of users, or distribution of malware. This could result in data breaches, reputational damage, and regulatory non-compliance, especially under GDPR, which mandates protection of personal data. The scope change in the CVSS score indicates that the vulnerability could affect components beyond the plugin itself, such as other parts of the WordPress site or integrated services. Given that Contributor-level access is often granted to content creators or editors, insider threats or compromised accounts could be leveraged to exploit this vulnerability. The lack of user interaction requirement increases the risk of automated or widespread exploitation once a malicious payload is injected. Although no known exploits are currently reported, the medium severity and ease of exploitation warrant proactive mitigation to prevent potential attacks.

1. Immediate mitigation should include restricting Contributor-level access to trusted users only and auditing existing user roles to minimize unnecessary privileges. 2. Implement Web Application Firewall (WAF) rules that detect and block suspicious input patterns targeting the 'class' parameter in the ACF Onyx Poll plugin. 3. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of potential XSS payloads. 4. Monitor logs for unusual activity related to plugin usage or unexpected changes in poll content. 5. Until an official patch is released, consider disabling or removing the ACF Onyx Poll plugin if it is not essential. 6. For organizations with development resources, review and sanitize all inputs related to the 'class' parameter in the plugin source code, applying proper output encoding as a temporary fix. 7. Educate content contributors about the risks of uploading or entering untrusted content and enforce strict content validation policies. 8. Regularly check for updates from the vendor and apply patches promptly once available.