CVE-2025-5085 Overview
CVE-2025-5085 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the WP Nano AD plugin for WordPress in all versions up to and including 1.31. The flaw resides in the handling of the blogrole_link parameter, which lacks sufficient input sanitization and output escaping. Authenticated attackers with administrator-level access can inject arbitrary JavaScript that executes when users visit affected pages. The issue is tracked under [CWE-79] and only impacts multi-site installations or installations where the unfiltered_html capability has been disabled.
Critical Impact
Authenticated administrators on WordPress multi-site environments can persistently inject scripts that execute in the browsers of users visiting affected pages, enabling session theft and content manipulation.
Affected Products
- WP Nano AD plugin for WordPress, all versions through 1.31
- WordPress multi-site installations using the plugin
- WordPress installations where unfiltered_html has been disabled
Discovery Timeline
- 2026-06-02 - CVE-2025-5085 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2025-5085
Vulnerability Analysis
The vulnerability is a Stored Cross-Site Scripting flaw in the WP Nano AD plugin. The plugin accepts the blogrole_link parameter from authenticated users without performing adequate input sanitization. It then renders the stored value back to the page without proper output escaping. As a result, attacker-supplied JavaScript persists in the database and executes in any browser that subsequently loads the injected page.
The attack requires administrator-level privileges, which raises the bar for exploitation. However, on WordPress multi-site networks, site administrators are not granted the unfiltered_html capability by default, meaning their input is expected to be sanitized. The plugin fails to enforce this expectation, allowing a lower-trust administrator on a sub-site to escalate impact across the network.
Root Cause
The root cause is the plugin's failure to sanitize input passed through the blogrole_link parameter in add_links.php and to escape it on output. WordPress provides helper functions such as esc_url_raw() for storage and esc_url() or esc_attr() for output, but the plugin does not apply these consistently to the affected field. See the WordPress Plugin Source Code for the unsanitized handling.
Attack Vector
An authenticated attacker with administrator privileges submits a crafted payload through the plugin's blogrole_link field. The payload is persisted by the plugin and later rendered into pages served to other users. When a visitor loads such a page, the injected script executes in their session context. Refer to the GitHub XSS Vulnerability Report and the Wordfence Vulnerability Analysis for technical write-ups.
No verified public exploit code is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-5085
Indicators of Compromise
- Unexpected <script>, onerror, or javascript: payloads stored in plugin configuration rows or in the wp_options table associated with WP Nano AD.
- HTTP POST requests to plugin administrative endpoints containing the blogrole_link parameter with HTML or JavaScript content.
- Outbound browser requests from site visitors to attacker-controlled domains shortly after loading pages that render plugin-managed link blocks.
Detection Strategies
- Audit the WordPress database for plugin-managed values containing <, >, script, or on*= patterns in URL fields.
- Review web server access logs for administrator-authenticated POST requests to add_links.php and related plugin endpoints.
- Compare the installed plugin version against 1.31 and flag any installation at or below that version as vulnerable.
Monitoring Recommendations
- Enable WordPress audit logging to capture plugin configuration changes by administrators on multi-site networks.
- Deploy a Content Security Policy (CSP) with reporting to surface unexpected inline script execution on plugin-rendered pages.
- Monitor for new or modified administrator accounts on sub-sites, as administrator-level access is a precondition for exploitation.
How to Mitigate CVE-2025-5085
Immediate Actions Required
- Identify all WordPress multi-site installations running WP Nano AD version 1.31 or earlier and treat them as vulnerable.
- Deactivate the WP Nano AD plugin on affected sites until a patched release is verified.
- Audit existing plugin configuration entries and remove any values containing HTML or script content from the blogrole_link field.
- Restrict creation of new administrator accounts on multi-site networks and review existing administrator membership.
Patch Information
No vendor patch has been documented in the NVD record at the time of publication. Monitor the WP Nano AD plugin page and the Wordfence Vulnerability Analysis for updates beyond version 1.31.
Workarounds
- Disable or uninstall the WP Nano AD plugin on multi-site installations until a fixed version is available.
- Re-enable the unfiltered_html capability only for fully trusted super administrators, and avoid granting it to per-site administrators.
- Deploy a web application firewall rule that blocks HTML and script tokens in the blogrole_link POST parameter.
- Apply a strict Content Security Policy that disallows inline scripts on pages rendered by the plugin.
# Example: list installed WP Nano AD versions across a multi-site network using WP-CLI
wp plugin list --network --name=wp-nano-ad --fields=name,status,version
# Example: deactivate the plugin network-wide until a patch is available
wp plugin deactivate wp-nano-ad --network
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
