CVE-2025-9989 Overview
The Broadstreet plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in admin settings affecting all versions up to and including 1.53.1. The flaw stems from insufficient input sanitization and output escaping in plugin-controlled administrative fields. Authenticated attackers with administrator-level permissions can inject arbitrary web scripts that execute when users access the affected pages. The vulnerability only affects multi-site WordPress installations and single-site installations where unfiltered_html has been disabled. The issue is tracked under [CWE-79] and assigned a CVSS score of 4.4.
Critical Impact
Authenticated administrators on multi-site WordPress installations can persist malicious JavaScript into admin-rendered pages, enabling session theft, privilege abuse, and lateral movement across network sites.
Affected Products
- Broadstreet plugin for WordPress versions up to and including 1.53.1
- WordPress multi-site network installations using the plugin
- WordPress installations with unfiltered_html capability disabled
Discovery Timeline
- 2026-05-13 - CVE-2025-9989 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2025-9989
Vulnerability Analysis
The Broadstreet plugin exposes administrative settings that accept user-supplied input without performing adequate sanitization on save or escaping on render. An attacker meeting the privilege prerequisites submits crafted payloads containing HTML or JavaScript through the plugin's admin settings interface. The plugin persists these payloads to the WordPress database. When any user, including higher-privileged administrators or network super-administrators, loads the affected page, the browser executes the injected script in the context of the WordPress origin.
The attack scope reaches beyond the initial injection context because stored payloads execute against every viewer of the compromised page. On multi-site networks, this provides a path for site-level administrators to attack the super-administrator account that manages the entire network.
Root Cause
The plugin fails to apply WordPress sanitization helpers such as sanitize_text_field() or wp_kses() on input received through admin settings. It also omits escaping functions like esc_html() or esc_attr() when rendering stored values back to the page. This double failure of input sanitization and output escaping permits raw script tags and event handlers to survive the storage and render lifecycle, classifying the issue as Stored XSS under [CWE-79].
Attack Vector
Exploitation requires an authenticated session with administrator-level permissions. On a single-site WordPress installation, administrators normally hold the unfiltered_html capability, which legitimately allows raw HTML. The vulnerability becomes exploitable only when that capability is removed, which is the default behavior on multi-site networks for non-super-admin users. The attacker navigates to the Broadstreet admin settings page, submits a payload containing JavaScript, and waits for another user to view the page. The injected script then runs with the privileges of the viewing user.
No verified public proof-of-concept code is available. Refer to the Wordfence Vulnerability Report and the WordPress Revision Changeset for technical details on the affected code paths and the upstream fix.
Detection Methods for CVE-2025-9989
Indicators of Compromise
- Unexpected <script> tags, javascript: URIs, or HTML event handlers stored in wp_options rows associated with the Broadstreet plugin
- Outbound requests from administrator browser sessions to attacker-controlled domains after visiting plugin admin pages
- Plugin settings modifications in WordPress audit logs originating from compromised or unexpected administrator accounts
Detection Strategies
- Query the WordPress database for Broadstreet-related option values and inspect them for HTML or script content
- Monitor administrator authentication events and correlate them with plugin settings updates in the WordPress activity log
- Inspect HTTP response bodies for the plugin admin pages and flag rendered content that includes unescaped script payloads
Monitoring Recommendations
- Enable WordPress security plugins or server-side logging that records all changes to plugin option values with user attribution
- Monitor browser-side anomalies such as unexpected script execution or DOM modifications on /wp-admin/ pages
- Alert on creation of new administrator accounts following any plugin settings change to detect post-XSS persistence actions
How to Mitigate CVE-2025-9989
Immediate Actions Required
- Update the Broadstreet plugin to the version released after 1.53.1 that addresses the issue, as referenced in the WordPress Revision Changeset
- Audit all WordPress administrator accounts and remove unused or stale privileged users on multi-site networks
- Review Broadstreet plugin settings for any pre-existing injected payloads and sanitize stored values before re-enabling the plugin
Patch Information
The Broadstreet maintainers committed a fix in the WordPress plugin repository tracked at changeset 3524817. Upgrade to the patched release available on the WordPress.org plugin directory. Review the Wordfence Vulnerability Report for the precise fixed version number and additional remediation guidance.
Workarounds
- Deactivate the Broadstreet plugin on multi-site installations until the patched version is installed
- Restrict administrator account access using multi-factor authentication and IP allowlisting on /wp-admin/
- Apply a web application firewall rule that blocks script tags and event handler attributes submitted to Broadstreet admin endpoints
# Configuration example: update the Broadstreet plugin via WP-CLI
wp plugin update broadstreet --version=<patched-version>
wp plugin status broadstreet
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
