WordPress Plugin Vulnerabilities

SecuPress Free < 2.2.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The SecuPress Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.2.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
secupress
Fixed in 2.2.5.4

References

CVE
CVE-2025-30907
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/983e5334-85e3-476d-9f47-874a35f70177

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
zaim
Verified
No
WPVDB ID
2a2c7446-4c6f-4e98-b90e-03ba4fad8392

Timeline

Publicly Published
2025-03-27 (about 1 year ago)
Added
2025-04-02 (about 1 year ago)
Last Updated
2025-04-02 (about 1 year ago)

Other

Published
Title
Published
2024-11-28
Title
Simple Popup <= 4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2026-06-01
Title
hiWeb Migration Simple <= 2.0.0.1 - Reflected Cross-Site Scripting via 'new_domain' Parameter
Published
2025-03-27
Title
Ultimate Dashboard < 3.8.6 - Admin+ Stored XSS
Published
2024-04-09
Title
Bold Page Builder < 4.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via AI Features
Published
2023-09-13
Title
Booster for WooCommerce < 7.1.1 - Contributor+ Stored Cross-Site Scripting