Description
The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘successredirect’ parameter in all versions up to, and including, 6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-04-24
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

The FuseDesk plugin for WordPress contains a stored XSS flaw that allows authenticated users with Contributor or higher privileges to inject JavaScript via the successredirect parameter. The input is neither cleaned nor escaped, meaning that the attacker can embed scripts that will run when any user views a page containing the malicious redirect. This vulnerability can be used to steal session cookies, deface content, or perform phishing attacks by executing arbitrary code in the victim's browser. The weakness aligns with CWE‑79, which describes malicious input delivered inline.

Affected Systems

Affected products are all releases of the FuseDesk WordPress plugin up to and including version 6.7, developed by Jeremy Shapiro. Users running any of these versions, regardless of PHP version or host environment, are at risk. The bug exists in the plugin's core PHP file handling successredirect, and therefore any site that has the plugin installed and allows contributor-level edits can be compromised.

Risk and Exploitability

The CVSS base score of 6.4 indicates moderate severity, and the EPSS score of less than 1% suggests low probability of exploitation in the wild. It is not yet listed in the CISA KEV catalog. Exploitation requires having authenticated access at the Contributor level or higher within the WordPress site, then submitting a crafted successredirect value through the plugin's settings. Because the input is stored, the malicious code persists until the setting is removed or the plugin is upgraded. Attackers could use the injected scripts to perform social engineering or steal data from unsuspecting users.

Generated by OpenCVE AI on April 20, 2026 at 23:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest FuseDesk version (6.8 or newer) to remove the stored XSS vulnerability.
  • If an upgrade is not possible, disable or remove the successredirect feature so that the parameter cannot store malicious code.
  • Restrict Contributor or higher roles from editing plugin settings, or further limit these privileges to trusted administrators.
  • As a best practice, ensure that all input from users is properly sanitized and escaped before rendering to prevent XSS.

Generated by OpenCVE AI on April 20, 2026 at 23:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12120 The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘successredirect’ parameter in all versions up to, and including, 6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Thu, 24 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 08:45:00 +0000

Type Values Removed Values Added
Description The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘successredirect’ parameter in all versions up to, and including, 6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title FuseDesk <= 6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via successredirect Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Jeremyshapiro Fusedesk
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:18:22.388Z

Reserved: 2025-04-20T15:13:42.937Z

Link: CVE-2025-3832

cve-icon Vulnrichment

Updated: 2025-04-24T13:52:56.707Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T09:15:32.250

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3832

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:15:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')