CVE-2025-6488: 
WordPress vulnerability analysis and mitigation

The isMobile plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-6488) that affects all versions up to and including 1.1.1. The vulnerability was discovered and reported by Wordfence, with the initial disclosure on June 21, 2025 (NVD, Wiz).

The vulnerability stems from insufficient input sanitization and output escaping of the 'device' parameter in the isMobile plugin. It has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (Wordfence).

The vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever any user accesses the compromised page, potentially leading to session hijacking, defacement, or theft of sensitive information (NVD).

A security fix has been implemented and released on June 26, 2025, as evidenced by the WordPress plugin repository changelog. Users are advised to update to version 1.1.2 of the plugin to address this vulnerability (WordPress Plugin).