CVE-2025-5843 in Brandfolder Plugin
Summary
by MITRE • 07/16/2025
The Brandfolder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 5.0.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/16/2025
The CVE-2025-5843 vulnerability affects the Brandfolder plugin for WordPress, representing a critical stored cross-site scripting flaw that has significant implications for web application security. This vulnerability exists in all versions up to and including 5.0.19, making it a widespread concern for WordPress installations that utilize this plugin. The flaw stems from inadequate input sanitization and insufficient output escaping mechanisms within the plugin's codebase, creating a persistent security weakness that can be exploited by authenticated attackers with Contributor-level privileges or higher. The vulnerability specifically targets the 'id' parameter, which serves as the attack vector for injecting malicious scripts into the application's data flow.
The technical nature of this vulnerability places it firmly within the CWE-79 category of Cross-Site Scripting, which is classified as a weakness in input validation and output escaping. The stored nature of this XSS vulnerability means that malicious scripts are permanently injected into the application's database rather than being executed only during a single request, making the attack more persistent and potentially more damaging. Attackers can leverage this weakness to execute arbitrary web scripts in the context of any victim's browser, effectively allowing them to perform actions on behalf of users or steal sensitive information. The vulnerability's exploitation requires only Contributor-level access, which is particularly concerning as this privilege level is often granted to users who should have limited administrative capabilities.
From an operational impact perspective, this vulnerability creates a substantial risk for WordPress sites using the Brandfolder plugin, as it enables attackers to compromise user sessions and potentially escalate privileges within the application. The ability to inject scripts that execute whenever a user accesses an affected page means that the attack can persist for extended periods, potentially affecting multiple users over time. This stored XSS vulnerability can be used to steal cookies, session tokens, or other sensitive data from authenticated users, and could potentially be leveraged to perform administrative actions within the WordPress environment. The vulnerability's impact extends beyond simple data theft to include potential complete system compromise if attackers can use the injected scripts to manipulate the application's behavior.
The mitigation strategy for CVE-2025-5843 should prioritize immediate patching of the Brandfolder plugin to the latest version that addresses this vulnerability, as this represents the most effective solution to prevent exploitation. Organizations should also implement additional security measures such as monitoring for suspicious user activity, particularly around the plugin's functionality, and conducting regular security audits of installed plugins. Network-based solutions like web application firewalls can provide additional protection layers, though they should not be considered a substitute for proper patch management. Security teams should also consider implementing strict access controls to limit the number of users with Contributor-level access or higher, as this reduces the attack surface for such vulnerabilities. The ATT&CK framework categorizes this vulnerability under the T1566.001 technique for Initial Access through Web Shell, emphasizing the need for proper input validation and the principle of least privilege in preventing such attacks from escalating to more serious security incidents.