CVE-2025-4579 Overview
CVE-2025-4579 is a Stored Cross-Site Scripting (XSS) vulnerability in the WP Content Security Policy plugin for WordPress. The flaw affects all versions up to and including 2.3. It exists because the plugin fails to properly sanitize and escape the blocked-uri and effective-directive parameters received from Content Security Policy violation reports. Unauthenticated attackers can inject arbitrary JavaScript that executes whenever an administrator or user views the affected page. The issue is tracked under CWE-79.
Critical Impact
Unauthenticated attackers can inject persistent JavaScript into the WordPress admin context, enabling session theft, account takeover, and full site compromise when a logged-in administrator views the injected content.
Affected Products
- WordPress Plugin: WP Content Security Policy (wp-content-security-policy)
- All versions up to and including 2.3
- Affected source file: includes/WP_CSP.php
Discovery Timeline
- 2025-05-15 - CVE-2025-4579 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-4579
Vulnerability Analysis
The WP Content Security Policy plugin processes Content Security Policy (CSP) violation reports submitted by browsers. These reports contain fields such as blocked-uri and effective-directive describing why a CSP rule was triggered. The plugin stores these values and later renders them in the WordPress admin interface without applying input sanitization on write or output escaping on read.
Because CSP violation report endpoints accept unauthenticated POST requests by design, an attacker can craft malicious report payloads containing JavaScript inside the affected parameters. The payload is persisted to the database and executes in the browser of any user viewing the violation log, including site administrators.
The vulnerability is classified as Stored XSS under CWE-79. Successful exploitation in the admin context can lead to creation of rogue administrator accounts, plugin installation, and full site takeover.
Root Cause
The root cause is missing input sanitization and missing output escaping in WP_CSP.php around lines 597, 612, and 659. The plugin trusts attacker-controlled fields from CSP report submissions and writes them to storage and HTML output without using WordPress functions such as sanitize_text_field() on input or esc_html() / esc_attr() on output.
Attack Vector
The attack vector is remote and network-based, requires no authentication, and no user interaction is needed to inject the payload. The attacker sends a forged CSP violation report to the reporting endpoint exposed by the plugin. The injected script executes when a privileged user later loads the page that renders the stored report fields. See the Wordfence Vulnerability Report and the relevant code locations in the WP_CSP.php source for technical details.
No verified public proof-of-concept code is currently linked in the NVD entry, so exploitation details are described in prose rather than reproduced here.
Detection Methods for CVE-2025-4579
Indicators of Compromise
- Unexpected CSP violation report entries containing HTML tags, <script> markup, javascript: URIs, or event handlers such as onerror= in the blocked-uri or effective-directive fields.
- New or unfamiliar WordPress administrator accounts created shortly after CSP report submissions.
- Outbound requests from administrator browsers to attacker-controlled domains following access to the plugin's report view.
- Unexpected modifications to themes, plugins, or wp_options entries following admin sessions.
Detection Strategies
- Inspect stored CSP violation records in the WordPress database for non-URL characters and script-like content in the blocked-uri and effective-directive columns.
- Monitor HTTP POST requests to the plugin's CSP reporting endpoint for payloads containing angle brackets, quotes, or JavaScript keywords.
- Review web server access logs for repeated unauthenticated POSTs to the report-uri endpoint from a single source.
Monitoring Recommendations
- Enable WordPress audit logging for user creation, role changes, and plugin or theme file modifications.
- Alert on administrator sessions that immediately follow access to the plugin's violation report admin page.
- Forward WordPress and web server logs to a centralized analytics platform for correlation and retention.
How to Mitigate CVE-2025-4579
Immediate Actions Required
- Identify all WordPress sites running the WP Content Security Policy plugin at version 2.3 or earlier.
- Update the plugin to a patched release once the vendor publishes a fix, or deactivate and remove it until a patch is available.
- Purge existing CSP violation report entries from the database to remove any previously injected payloads.
- Audit administrator accounts, scheduled tasks, and recently modified plugin or theme files for signs of compromise.
Patch Information
At the time of NVD publication, the vulnerability affects all versions up to and including 2.3. Site operators should consult the Wordfence Vulnerability Report and the plugin's repository for current patch status and upgrade guidance.
Workarounds
- Deactivate the WP Content Security Policy plugin until a fixed version is installed.
- Block unauthenticated access to the plugin's CSP report endpoint at the web server or WAF layer.
- Restrict access to the WordPress admin area using IP allowlisting or HTTP authentication to reduce exposure of stored payloads.
- Apply a WAF rule that drops POST requests to the CSP reporting endpoint when the body contains <, >, or script tokens in the blocked-uri or effective-directive fields.
# Example nginx rule to block script-like payloads to the CSP report endpoint
location ~* /wp-json/.*csp.*report {
if ($request_method = POST) {
if ($request_body ~* "(<script|onerror=|javascript:)") {
return 403;
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
