CVE-2025-8394: 
WordPress vulnerability analysis and mitigation

The Productive Style plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 1.1.23, identified as CVE-2025-8394. The vulnerability exists in the plugin's display_productive_breadcrumb shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. The issue was discovered and disclosed on September 16, 2025 (NVD).

The vulnerability stems from improper input validation and output escaping in the display_productive_breadcrumb shortcode functionality. The issue allows authenticated users with contributor-level access or higher to inject arbitrary web scripts into pages. These injected scripts will execute whenever a user accesses the affected page. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD, AttackerKB).

The vulnerability allows authenticated attackers to inject malicious scripts that execute in users' browsers when they visit affected pages. This could lead to various attacks including cookie theft, session hijacking, or other client-side attacks. The impact is heightened as the injected scripts persist in the page content and affect all visitors to the compromised pages (NVD).

Website administrators running affected versions of the Productive Style plugin should upgrade to version 1.1.25 or later, which was released on September 24, 2025. The update includes security fixes and improved input validation (WordPress Plugin).