CVE-2025-5807: 
WordPress vulnerability analysis and mitigation

The Gwolle Guestbook plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'gwollegbcontent' parameter in versions up to and including 4.9.2. This vulnerability was discovered and reported by security researcher zer0gh0st (D.Sim) through Wordfence, and was assigned CVE-2025-5807. The vulnerability was disclosed on July 9, 2025 (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the BBcode functionality. The issue allows unauthenticated attackers to inject arbitrary web scripts that execute whenever a user accesses an injected page. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility with low attack complexity and no privileges required (NVD, Wordfence).

When exploited, this vulnerability allows attackers to inject malicious web scripts into the guestbook content. These scripts will execute in the context of other users' browsers when they view the affected pages, potentially leading to theft of sensitive information or manipulation of the user interface (NVD).

The vulnerability has been patched in version 4.9.3 of the Gwolle Guestbook plugin. The fix includes improved sanitization of BBcode data through url and img tags, implementing escurl and wpkses functions, and using pregreplacecallback for sanitizing content (WordPress Plugin).