CVE-2025-8391 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Magic Edge – Lite plugin for WordPress developed by awssoft. This vulnerability affects all versions up to and including 1.1.6. The root cause is insufficient input sanitization and output escaping of the 'height' parameter, which is used during web page generation. Authenticated attackers with Contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages via the vulnerable parameter. Because the malicious script is stored, it executes whenever any user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability does not require user interaction beyond visiting the page, but it does require the attacker to have authenticated access with contributor or higher privileges, which is a moderate barrier. The CVSS v3.1 score is 6.4, reflecting medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. No patches or exploit code are currently publicly available, and no known exploitation in the wild has been reported. This vulnerability highlights the importance of proper input validation and output encoding in WordPress plugins, especially those that accept user-supplied parameters influencing page content.

The impact of CVE-2025-8391 is significant for organizations running WordPress sites with the Magic Edge – Lite plugin installed. Successful exploitation allows attackers with contributor or higher privileges to inject persistent malicious scripts that execute in the browsers of any users visiting the compromised pages. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and potential site defacement or redirection to malicious sites. Since contributors can create and edit content, the attack surface includes many sites with active user-generated content workflows. The scope of affected systems is broad given WordPress's global popularity and the plugin's usage. Although exploitation requires authenticated access, insider threats or compromised contributor accounts can facilitate attacks. The vulnerability undermines the confidentiality and integrity of user data and site content but does not directly affect availability. Organizations may face reputational damage, data breaches, and compliance issues if exploited.

To mitigate CVE-2025-8391, organizations should immediately upgrade the Magic Edge – Lite plugin to a version that addresses the vulnerability once released by the vendor. In the absence of an official patch, administrators can implement the following practical measures: restrict contributor-level permissions to trusted users only and review user roles to minimize unnecessary privileges; employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'height' parameter; sanitize and validate all user inputs at the application level, especially parameters influencing page content; implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts; monitor logs and site content for unusual script injections or modifications; and educate content contributors about the risks of injecting untrusted content. Additionally, conduct regular security audits and vulnerability scans focusing on plugin components. Promptly revoke or reset credentials of any suspicious contributor accounts to reduce insider threat risks.