CVE-2025-57890: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in Pierre Lannoy Sessions plugin for WordPress, tracked as CVE-2025-57890. The vulnerability affects versions up to and including 3.2.0, discovered on August 22, 2025. The security flaw exists due to insufficient input sanitization and output escaping in the plugin (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 5.9 (Medium). The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring high privileges (PR:H) and user interaction (UI:R). The scope is changed (S:C) with low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L) (Rapid7).

This vulnerability only impacts multi-site installations and installations where unfiltered_html has been disabled. When successfully exploited, it allows authenticated attackers with administrator-level access to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page (Rapid7).

The vulnerability has been patched in version 3.2.1 of the Sessions plugin. Users are advised to update to this version or later to remove the vulnerability. For Patchstack users, enabling auto-update for vulnerable plugins is recommended as an additional security measure (Patchstack).