CVE-2025-5841 identifies a stored Cross-Site Scripting (XSS) vulnerability in the ACF Onyx Poll plugin for WordPress, maintained by andremacola. This vulnerability arises from improper neutralization of input during web page generation, specifically through the 'class' parameter. All versions up to and including 1.1.9 are affected due to insufficient input sanitization and output escaping. An attacker with Contributor-level or higher privileges can inject arbitrary JavaScript code into pages by manipulating the 'class' parameter. Because the injected scripts are stored, they execute every time a user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users. The vulnerability does not require user interaction beyond visiting the page but does require authenticated access, limiting the attack surface to users with some level of trust. The CVSS 3.1 score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, and privileges required. No patches or exploits are currently publicly available, but the vulnerability's presence in a popular WordPress plugin makes it a significant concern for website administrators. The issue falls under CWE-79, a common web application security weakness related to cross-site scripting.

The impact of CVE-2025-5841 can be significant for organizations running WordPress sites with the vulnerable ACF Onyx Poll plugin. Successful exploitation allows attackers to execute arbitrary scripts in the context of users visiting the compromised pages, potentially leading to session hijacking, credential theft, unauthorized actions, or defacement. Since the vulnerability requires Contributor-level access, attackers must first compromise or have legitimate access to an account with such privileges, which may be easier in environments with weak access controls or compromised credentials. The scope includes all users who visit the infected pages, potentially including administrators, increasing the risk of privilege escalation or site takeover. Although no known exploits are reported yet, the medium severity and ease of exploitation with low complexity make this a credible threat. Organizations could face reputational damage, data breaches, or service disruptions if the vulnerability is exploited. The lack of a patch increases the urgency for interim mitigations.

To mitigate CVE-2025-5841, organizations should immediately review and restrict user permissions, ensuring that only trusted users have Contributor-level or higher access. Implement strict input validation and output encoding for the 'class' parameter in the plugin's code if custom fixes are possible. Monitor web server logs and WordPress activity logs for unusual input patterns or script injections related to the plugin. Disable or remove the ACF Onyx Poll plugin until a vendor patch is released. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'class' parameter. Educate site administrators and users about the risks of privilege misuse and enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of account compromise. Regularly back up website data to enable recovery in case of an incident. Stay updated with vendor announcements for patches or updates addressing this vulnerability.