CVE-2025-6681 - Vulnerability Details

- Fan Page <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter

Description

The Fan Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘width’ parameter in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2025-07-29

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Stored Cross‑Site Scripting is possible when an authenticated user having Contributor or higher privileges submits an entry containing malicious JavaScript in the width parameter. The input is not sanitized and is later rendered back to the browser unescaped. When any user views the affected page, the injected script runs with that user’s browser context, allowing the attacker to steal session cookies, perform phishing, or further compromise the site.

Affected Systems

The vulnerability is found in the Fan Page WordPress plugin made by delower186. All released versions up to and including 1.0.1 are affected. Any WordPress site that has this plugin installed and permits Contributor role access is potentially exploitable.

Risk and Exploitability

With a CVSS base score of 6.4 the flaw is considered medium severity. The EPSS score of less than 1 % indicates that large‑scale exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV. Attack requires a valid WordPress account with Contributor‑level rights or higher and the ability to create or edit a page that renders the width field. Upon successful injection an attacker can run arbitrary client‑side code whenever a visitor loads the compromised page.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

delower186

Fan Page

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.0.1

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Fan Page plugin to the latest version that contains the fix for the width parameter XSS issue.
Revoke or downgrade Contributor‑level accounts that are not required for site operations to reduce privilege that can inject scripts.
If an upgrade cannot be performed immediately, use a web application firewall or security plugin to block or sanitize input to the width parameter and monitor site activity for anomalous script execution.

Generated by OpenCVE AI on April 21, 2026 at 19:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-22982	The Fan Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘width’ parameter in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00048.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://wordpress.org/plugins/fan-page/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/7f86a85c-fe40-4020-b4d2-623dabac98a2?source=cve

History

Wed, 30 Jul 2025 06:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Tue, 29 Jul 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 29 Jul 2025 09:30:00 +0000

Type	Values Removed	Values Added
Description		The Fan Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘width’ parameter in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		Fan Page <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter
Weaknesses		CWE-79
References		https://wordpress.org/plugins/fan-page/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/7f86a85c-fe40-4020-b4d2-623dabac98a2?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-07-29T09:23:45.984Z

Updated: 2026-04-08T17:03:23.189Z

Reserved: 2025-06-25T20:47:07.089Z

Link: CVE-2025-6681

Vulnrichment

Updated: 2025-07-29T13:44:41.433Z

NVD

Status : Deferred

Published: 2025-07-29T10:15:29.173

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6681

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T19:45:16Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object