CVE-2025-5116: 
WordPress vulnerability analysis and mitigation

The WP Plugin Info Card plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-5116) in versions up to and including 5.3.1. The vulnerability was discovered in the 'containerid' parameter due to insufficient input sanitization and output escaping. This issue was identified as an incomplete patch for a previous vulnerability (CVE-2025-31835) and was disclosed on June 3, 2025 (NVD).

The vulnerability exists in the plugin's handling of the 'containerid' parameter, where proper input sanitization and output escaping were not implemented. The issue affects authenticated users with Contributor-level access and above. The vulnerability has been assigned a CVSS v3.1 score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These injected scripts will execute whenever a user accesses the affected page, potentially leading to the compromise of user sessions, theft of sensitive information, or other malicious actions (NVD).

The vulnerability has been patched in version 5.4.0 of the WP Plugin Info Card plugin. Users are strongly advised to update to this version immediately. The fix includes proper escaping of the containerid parameter using esc_attr() function (WordPress Plugin, Plugin Changeset).