CVE-2025-5240: 
WordPress vulnerability analysis and mitigation

The CRM and Lead Management by vcita plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-5240) discovered on July 21, 2025. The vulnerability affects all versions up to and including 2.7.5. This security issue exists in the plugin's handling of the 'type' parameter due to insufficient input sanitization and output escaping (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 6.4 (Medium). The vulnerability allows authenticated users with Contributor-level access or higher to inject arbitrary web scripts through the 'type' parameter. These malicious scripts persist in the database and execute when users access the affected pages (NVD).

When exploited, this vulnerability allows authenticated attackers to store malicious JavaScript code that executes in the browsers of users who visit the affected pages. This could lead to theft of sensitive information, session hijacking, or other client-side attacks against site visitors (NVD).

Website administrators should update the CRM and Lead Management by vcita plugin to a version newer than 2.7.5 once available. Until then, it is recommended to limit access to the WordPress dashboard to only trusted users and review existing user permissions (NVD).