CVE-2025-1452: 
WordPress vulnerability analysis and mitigation

The Favorites WordPress plugin before version 2.3.5 contains a stored Cross-Site Scripting (XSS) vulnerability. The plugin fails to properly sanitize and escape some of its settings, which could enable high-privilege users such as administrators to perform Stored XSS attacks, even when the unfiltered_html capability is disabled, such as in multisite setups. This vulnerability was discovered and reported by Thanh Hang, and was publicly disclosed on March 4, 2025 (WPScan).

The vulnerability has been assigned a CVSS v3.1 base score of 3.5 (LOW) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N. The issue specifically affects the Settings » Favorites » Display & Post Types section, where malicious XSS payloads can be inserted into the 'Button Markup: Unfavorited' field. When saved, the XSS payload is automatically added to every new post and executed (WPScan).

When exploited, this vulnerability allows high-privilege users to execute stored Cross-Site Scripting attacks. The impact is particularly notable in multisite WordPress installations where even administrators are typically restricted from using unfiltered HTML. The vulnerability could potentially lead to client-side attacks against other users viewing the affected posts (WPScan).

The vulnerability has been patched in version 2.3.5 of the Favorites WordPress plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).