CVE-2025-5923 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Game Review Block plugin for WordPress, developed by marcdk. This vulnerability exists due to improper neutralization of input during web page generation, specifically through the 'className' parameter. All versions up to and including 4.8.1 are affected. The root cause is insufficient input sanitization and lack of proper output escaping, which allows authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes every time any user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users without their consent. The vulnerability has a CVSS v3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change. No public exploits have been reported yet. The vulnerability is categorized under CWE-79, which covers improper neutralization of input leading to XSS. The issue was publicly disclosed on June 13, 2025, with no official patches available at the time of reporting. The vulnerability affects a widely used WordPress plugin, which is popular among gaming-related websites and communities.

The impact of CVE-2025-5923 is significant for organizations running WordPress sites that utilize the Game Review Block plugin. Successful exploitation allows attackers with Contributor-level access to inject persistent malicious scripts, which execute in the context of any user visiting the compromised page. This can lead to theft of authentication cookies, session hijacking, unauthorized actions performed on behalf of users, defacement, or redirection to malicious sites. Although the vulnerability does not directly affect availability, the compromise of user accounts and site integrity can cause reputational damage, loss of user trust, and potential data breaches. Since Contributor-level access is required, attackers must have some level of authenticated access, which may be obtained through social engineering or compromised credentials. The scope change in the CVSS vector indicates that the vulnerability affects resources beyond the attacker’s privileges, increasing the risk. Organizations with high traffic WordPress sites, especially those focused on gaming content, are at elevated risk. The absence of known exploits in the wild suggests limited immediate threat but also highlights the need for proactive mitigation before attackers develop weaponized payloads.

To mitigate CVE-2025-5923, organizations should immediately update the Game Review Block plugin to a patched version once available from the vendor. In the absence of an official patch, administrators should implement strict input validation on the 'className' parameter, ensuring that only safe characters and expected values are accepted. Employing output encoding techniques when rendering user-supplied data in HTML contexts can prevent script execution. Restrict Contributor-level user permissions to trusted individuals and monitor for suspicious activity or unauthorized content changes. Implement Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting the affected parameter. Regularly audit WordPress plugins for security updates and remove unused or unmaintained plugins. Additionally, enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Educate site administrators and contributors about the risks of XSS and the importance of secure content management practices.