CVE-2025-5490: 
WordPress vulnerability analysis and mitigation

The Football Pool plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-5490) discovered on June 19, 2025. The vulnerability affects all versions up to and including 2.12.4 of the plugin. This security issue exists in the admin settings functionality due to insufficient input sanitization and output escaping (NVD).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 5.5 (Medium). The attack vector is network-based (AV:N), requires low attack complexity (AC:L), high privileges (PR:H), no user interaction (UI:N), and has a changed scope (S:C) with low confidentiality and integrity impacts (C:L/I:L) and no availability impact (A:N) (NVD, Wiz).

When exploited, this vulnerability allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the affected page. The scope is limited to multi-site installations and installations where unfiltered_html has been disabled (NVD).

The vulnerability has been patched in version 2.12.5 of the Football Pool plugin. Users are advised to update to this latest version to address the XSS vulnerability. The update includes fixes specifically targeting the input sanitization and output escaping issues in the admin interface (WordPress Plugin).