CVE-2025-5235: 
WordPress vulnerability analysis and mitigation

The OpenSheetMusicDisplay plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-5235) in versions up to and including 1.4.0. The vulnerability exists due to insufficient input sanitization and output escaping of the 'className' parameter. This security issue was discovered and disclosed on May 26, 2025 (CVE).

The vulnerability allows authenticated attackers with Contributor-level access or above to inject arbitrary web scripts into pages through the 'className' parameter. These malicious scripts will execute whenever a user accesses an affected page. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.4 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

Successful exploitation of this vulnerability could allow authenticated attackers to inject malicious JavaScript code that executes in visitors' browsers when they access affected pages. This could lead to theft of sensitive information, session hijacking, or other client-side attacks against site visitors (Rapid7).

The vulnerability has been patched in version 1.4.1 of the OpenSheetMusicDisplay plugin. Users should update to this version immediately. The update includes proper input sanitization on render to prevent XSS attacks from authenticated users (WordPress Plugin).