| Plugin Name | Flexi – Guest Submit |
|---|---|
| Type of Vulnerability | Stored XSS |
| CVE Number | CVE-2025-9129 |
| Urgency | Low |
| CVE Publish Date | 2025-10-03 |
| Source URL | CVE-2025-9129 |
Urgent: Flexi – Guest Submit Plugin (≤ 4.28) — Authenticated (Contributor+) Stored XSS via flexi-form-tag Shortcode (CVE-2025-9129)
TL;DR
A stored Cross-Site Scripting (XSS) vulnerability affects the Flexi – Guest Submit plugin up to version 4.28. An authenticated user with Contributor-level privileges (or higher) can inject HTML/JavaScript into content via the flexi-form-tag shortcode. The payload is stored and later rendered to visitors or administrators, allowing arbitrary script execution in victim browsers. No official vendor patch was available at the time of disclosure. This advisory is written from the perspective of a Hong Kong security expert with experience responding to WordPress incidents.
About this vulnerability
- Affected plugin: Flexi – Guest Submit (plugin versions ≤ 4.28)
- Vulnerability type: Stored Cross-Site Scripting (XSS)
- Privilege required: Authenticated user with Contributor role or above
- CVE: CVE-2025-9129
- Public disclosure date: 3 October 2025
- Status: No official fix available at the time of disclosure
What this means: An attacker who can log in with a Contributor account (or equivalent) can submit crafted input that is saved to the database and later rendered unescaped where the plugin outputs flexi-form-tag content. When other users (including administrators) view the affected content, the injected script executes in their browser context and can steal session data, perform actions as the user, inject content, deploy secondary payloads, or redirect visitors.
Why this is severe even if classified “Low”
Stored XSS is deceptively dangerous. In Hong Kong and international environments where editorial workflows expose privileged users to contributor submissions, a stored payload can be triggered during routine review. Potential impacts include:
- Session theft and account takeover if authentication cookies or CSRF tokens are exposed.
- Delivery of secondary payloads (for example, webshells or malicious plugin/theme files) via automated script actions.
- SEO and reputational damage through injected spam, phishing pages, or mass redirects.
- Supply-chain risk for multisite installations or environments with shared administrative access.
- Automated harvesting and propagation: once a stored payload exists, crawlers, bots or automated previews may expand impact.
Even with “low” urgency, the practical risk depends on who previews or views the stored content.
How the attack works (high-level)
- An attacker with Contributor access logs into WordPress.
- Using the plugin’s submission UI or shortcodes, the attacker submits crafted input that the shortcode processor accepts.
- The plugin stores the submitted data without sufficient sanitization/escaping.
- When the stored submission is displayed (admin preview, frontend, editorial review), the browser executes the embedded script.
- The script then performs browser-based actions: cookie theft, unauthorized requests, redirects, or payload retrieval from attacker-controlled infrastructure.
Exploit payloads are deliberately omitted here. Site owners should assume exploitability and act accordingly.
Indicators of compromise (IoC) to look for
- Unexplained JavaScript or inline event handlers in post content, especially content generated by user submissions or shortcodes.
- Unexpected redirects, popups, or modified page content on pages that previously behaved normally.
- Administrator actions or content changes recorded in audit logs that were not performed by authorized admins.
- Unusual outbound HTTP requests from the site to unfamiliar domains.
- New cron events or scheduled tasks created after contributor submissions.
- Presence of
