CVE-2025-8391 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Magic Edge – Lite WordPress plugin developed by awssoft. This vulnerability exists in all versions up to and including 1.1.6 due to improper input sanitization and output escaping of the 'height' parameter. Specifically, authenticated users with Contributor-level access or higher can inject arbitrary JavaScript code into pages by manipulating this parameter. Because the malicious script is stored persistently, it executes whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the affected WordPress site. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, and privileges at the contributor level, but does not require user interaction. The scope is changed, meaning the vulnerability can impact components beyond the vulnerable plugin itself. No known exploits are currently reported in the wild, and no official patches have been released at the time of publication (August 2025).

For European organizations using WordPress websites with the Magic Edge – Lite plugin, this vulnerability poses a significant risk. Attackers with contributor-level access—often achievable through compromised credentials or social engineering—can inject malicious scripts that execute in the browsers of site visitors or administrators. This can lead to theft of authentication cookies, defacement, unauthorized content changes, or distribution of malware. The impact is particularly critical for organizations handling sensitive data or providing services to customers, as it can undermine trust and lead to data breaches or regulatory non-compliance under GDPR. Additionally, since the vulnerability allows scope change, it may enable attackers to affect other components or plugins within the WordPress environment, increasing the potential damage. The absence of user interaction for exploitation means automated attacks or worm-like propagation within vulnerable sites are possible, increasing the threat surface. Given WordPress's popularity in Europe, especially among SMEs and public sector entities, exploitation could disrupt business operations and damage reputations.

Immediate mitigation involves upgrading the Magic Edge – Lite plugin to a version that addresses this vulnerability once released by the vendor. Until a patch is available, organizations should restrict Contributor-level access strictly to trusted users and audit existing user privileges to minimize risk. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'height' parameter can reduce exploitation likelihood. Additionally, employing Content Security Policy (CSP) headers can limit the impact of injected scripts by restricting script execution sources. Regular security audits and monitoring for unusual activity or injected scripts in WordPress pages are recommended. Organizations should also educate content contributors about the risks of injecting untrusted input and enforce strict input validation policies. Finally, isolating WordPress instances and limiting plugin usage to only those necessary reduces the attack surface.