CVE-2025-54699: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Masteriyo - LMS WordPress plugin, identified as CVE-2025-54699. The vulnerability affects versions up to and including 1.18.3 of the plugin. The issue was initially reported on July 12, 2025, and was publicly disclosed on July 30, 2025. This security flaw affects the WordPress plugin developed by ThemeGrill (Patchstack, NVD).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It has been assigned a CVSS v3.1 base score of 6.5 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires low attack complexity and privileges, with user interaction required for successful exploitation. The attack vector is network-based, affecting the confidentiality, integrity, and availability of the system (Rapid7).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the injected page, potentially leading to unauthorized actions, data theft, or site defacement (Patchstack).

The vulnerability has been patched in version 1.18.4 of the Masteriyo - LMS plugin. Site administrators are advised to update to this version or later to remove the vulnerability. For sites using Patchstack, users can enable auto-update functionality for vulnerable plugins (Patchstack).