CVE-2025-53296: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the WordPress EC Stars Rating plugin, tracked as CVE-2025-53296. The vulnerability affects versions up to and including 1.0.11 of the EC Stars Rating plugin. This security issue was discovered by Nguyen Ngoc Quang Bach (maysbachs) and was publicly disclosed on June 27, 2025 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It has received a CVSS v3.1 base score of 5.9 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires administrator-level privileges to exploit (Patchstack).

If exploited, this vulnerability could allow an attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack).

As there is no official fix available and the software is considered abandoned, the recommended mitigation is to remove and replace the EC Stars Rating plugin with an alternative solution. Deactivating the software alone does not remove the security threat unless a virtual patch is deployed (Patchstack).