CVE-2025-9992 in Ghost Kit Plugin
Summary
by MITRE • 09/18/2025
The Ghost Kit – Page Builder Blocks, Motion Effects & Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS field in all versions up to, and including, 3.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/18/2025
The Ghost Kit plugin for WordPress represents a popular page building solution that enables users to create dynamic content with various blocks and motion effects. This vulnerability affects all versions up to and including 3.4.3, making it a significant concern for WordPress installations that utilize this plugin. The flaw resides in how the plugin handles user input within its custom JavaScript field functionality, which creates an attack vector that can be exploited by authenticated users with Contributor-level permissions or higher. The vulnerability classification aligns with CWE-79 which specifically addresses Cross-Site Scripting flaws in web applications, where insufficient sanitization of user-provided data leads to execution of malicious scripts in the context of the victim's browser.
The technical implementation of this vulnerability occurs within the plugin's handling of custom JavaScript inputs that are stored in the WordPress database and subsequently executed when pages are rendered. Attackers with Contributor access or higher can leverage this weakness by inserting malicious JavaScript code into the custom JS field, which then gets stored without proper sanitization or escaping mechanisms. When other users access pages containing this malicious content, the injected scripts execute in their browsers, potentially leading to session hijacking, data theft, or further exploitation of the victim's privileges. The vulnerability demonstrates a failure in the principle of least privilege and proper input validation, as the plugin fails to adequately sanitize user inputs before storing them in the database.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with a persistent means of compromising user sessions and potentially escalating their privileges within the WordPress environment. Since the vulnerability affects authenticated users with Contributor level access, it represents a significant risk for sites where multiple users have varying permission levels, as attackers can exploit this weakness to gain unauthorized access to sensitive content or perform actions within the WordPress administration interface. The stored nature of the XSS vulnerability means that the malicious scripts remain active until manually removed from the database, allowing for prolonged periods of exploitation. This type of vulnerability can be particularly dangerous in environments where users with lower privileges have access to content creation tools, as it creates a potential attack surface that can be leveraged for broader security breaches.
Organizations should immediately update to the latest version of the Ghost Kit plugin to remediate this vulnerability, as no patches were available for versions prior to the fix. Security practitioners should implement additional monitoring for suspicious JavaScript injections within the plugin's custom fields and consider implementing content security policies that limit script execution capabilities within the WordPress environment. The vulnerability also highlights the importance of proper input validation and output escaping practices, which are fundamental requirements in the OWASP Top Ten security guidelines and align with ATT&CK technique T1059.001 for executing malicious code through script injection. Administrators should also consider implementing role-based access controls to limit who can modify plugin configurations and custom JavaScript fields, reducing the attack surface for potential exploitation.