CVE-2025-7059: 
WordPress vulnerability analysis and mitigation

The Simple Featured Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slideshow' parameter in all versions up to, and including, 1.3.1. This vulnerability was disclosed on July 9, 2025, and affects WordPress installations with the Simple Featured Image plugin installed (NVD).

The vulnerability exists due to insufficient input sanitization and output escaping in the plugin's handling of the 'slideshow' parameter. The issue has been assigned a CVSS v3.1 Base Score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page, potentially leading to session hijacking, credential theft, or other client-side attacks (NVD).

The plugin has been temporarily closed as of July 7, 2025, pending a full security review. Site administrators should consider disabling or removing the Simple Featured Image plugin until a patched version is available (WordPress Plugin).