CVE-2025-8391 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the Magic Edge – Lite WordPress plugin developed by awssoft. This vulnerability affects all versions up to and including 1.1.6. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'height' parameter. An authenticated attacker with Contributor-level or higher privileges can exploit this flaw by injecting malicious JavaScript code into pages via the vulnerable parameter. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or other malicious actions. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based with low attack complexity, requiring privileges but no user interaction. The scope is changed, meaning the vulnerability can affect resources beyond the initially compromised component. No known exploits are currently reported in the wild, and no official patches have been released yet. The vulnerability was publicly disclosed on August 2, 2025, with the Wordfence team as the assigner. This vulnerability falls under CWE-79, which covers improper neutralization of input leading to XSS attacks.

For European organizations using WordPress sites with the Magic Edge – Lite plugin, this vulnerability poses a significant risk to web application security and user trust. Stored XSS can lead to the theft of authentication cookies, enabling attackers to impersonate legitimate users, including administrators, potentially resulting in unauthorized access and control over the website. This can further lead to data breaches, defacement, or distribution of malware to site visitors. Given the medium CVSS score and the requirement for Contributor-level access, insider threats or compromised accounts are the most likely attack vectors. The impact on confidentiality and integrity is moderate, while availability is not directly affected. European organizations that rely on WordPress for e-commerce, customer portals, or internal communication could face reputational damage, regulatory scrutiny under GDPR for data protection failures, and financial losses due to exploitation of this vulnerability.

1. Immediate mitigation should include restricting Contributor-level access to trusted users only and reviewing existing user privileges to minimize the risk of exploitation. 2. Implement Web Application Firewall (WAF) rules that detect and block suspicious payloads targeting the 'height' parameter in Magic Edge – Lite plugin requests. 3. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 4. Monitor logs for unusual activity related to the plugin or unexpected script injections. 5. Since no official patch is currently available, consider temporarily disabling the Magic Edge – Lite plugin or replacing it with alternative plugins that provide similar functionality without this vulnerability. 6. Educate site administrators and content contributors about the risks of XSS and safe content practices. 7. Once a patch is released, prioritize immediate testing and deployment to eliminate the vulnerability.