CVE-2025-25144: 
WordPress vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability has been identified in the Theasys WordPress plugin, tracked as CVE-2025-25144. The vulnerability was discovered on January 22, 2025, and publicly disclosed on February 3, 2025. This security issue affects Theasys plugin versions up to and including 1.0.1, allowing for Stored XSS attacks through Cross-Site Request Forgery (CSRF) (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 7.1 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability can be exploited by unauthenticated attackers and involves improper neutralization of input during web page generation, leading to stored cross-site scripting attacks (NVD, Patchstack).

The vulnerability allows malicious actors to force higher privileged users to execute unwanted actions under their current authentication through CSRF, which can lead to stored XSS attacks. This creates potential risks for data exposure, session hijacking, and unauthorized actions performed on behalf of authenticated users (Patchstack).

As of February 2025, no official fix is available for this vulnerability. The issue affects versions up to and including 1.0.1 of the Theasys WordPress plugin (Patchstack).