CVE-2025-4579: 
WordPress vulnerability analysis and mitigation

The WP Content Security Plugin for WordPress (versions up to 2.3) contains a Stored Cross-Site Scripting vulnerability identified as CVE-2025-4579. The vulnerability was discovered by researcher Nguyễn Trung Kiên and publicly disclosed on May 14, 2025. The security flaw exists in the plugin's handling of the blocked-uri and effective-directive parameters due to insufficient input sanitization and output escaping (NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 7.2 (High). The attack vector is characterized as Network-based (AV:N) with Low attack complexity (AC:L), requiring No privileges (PR:N) and No user interaction (UI:N). The scope is Changed (S:C) with Low confidentiality (C:L) and integrity (I:L) impacts, and No availability impact (A:N) (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page. This can lead to potential theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's browser (NVD).