CVE-2025-0311: 
WordPress vulnerability analysis and mitigation

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Pricing Table widget in versions up to and including 2.10.43. The vulnerability was discovered on January 10, 2025, and was assigned CVE-2025-0311. The issue affects the plugin's Pricing Table widget functionality due to insufficient input sanitization and output escaping on user-supplied attributes (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the Pricing Table widget component. The issue allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts that execute when users access the affected pages. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NIST and 6.4 (Medium) by Wordfence, indicating moderate severity (NVD).

When exploited, this vulnerability allows authenticated attackers to inject malicious scripts that execute in users' browsers when they visit pages containing the compromised Pricing Table widget. This could lead to various attacks including cookie theft, session hijacking, or other client-side attacks against site visitors (NVD).

The vulnerability has been patched in version 2.10.44 of the Orbit Fox plugin. Site administrators are strongly recommended to update to this version or later. The fix includes improved input sanitization and proper escaping of user-supplied attributes in the Pricing Table widget (WordPress Plugin).