WP Less Compiler CVE-2025-25142
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP Less Compiler allows Stored XSS. This issue affects WP Less Compiler: from n/a through 1.3.0.
AnalysisAI
Stored cross-site scripting in WP Less Compiler WordPress plugin versions through 1.3.0 enables remote unauthenticated attackers to inject malicious scripts that execute in victim browsers when triggered by user interaction. The vulnerability affects a WordPress LESS CSS preprocessor plugin, with scope change (S:C) indicating potential attack escalation beyond the plugin's security context. EPSS score of 0.09% (26th percentile) suggests low probability of widespread exploitation attempts. No active exploitation confirmed by CISA KEV at time of analysis.
Technical ContextAI
WP Less Compiler is a WordPress plugin that compiles LESS (Leaner Style Sheets) into CSS for theme development. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating insufficient input sanitization or output encoding when processing user-supplied data. In WordPress plugins, stored XSS typically occurs when plugin settings, configuration fields, or user-generated content are saved to the database without proper validation and later rendered without escaping. The attack vector (AV:N) confirms the vulnerability is accessible through WordPress's web interface, while the changed scope (S:C) in the CVSS vector suggests the injected script can operate beyond the plugin's intended privilege boundaries, potentially accessing WordPress admin session tokens or performing actions across the WordPress application context.
Affected ProductsAI
WordPress WP Less Compiler plugin versions from earliest available release through version 1.3.0 (inclusive). The vulnerability affects all installations running version 1.3.0 or earlier. Patchstack vulnerability database reference available at https://patchstack.com/database/wordpress/plugin/wp-less-compiler/vulnerability/wordpress-wp-less-compiler-plugin-1-3-0-cross-site-scripting-xss-vulnerability providing detailed analysis. No CPE string provided in vulnerability data. Plugin is distributed through WordPress.org plugin repository under slug 'wp-less-compiler'.
RemediationAI
Primary remediation: Upgrade WP Less Compiler to version 1.3.1 or later if a patched release has been issued. At time of analysis, Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wp-less-compiler/vulnerability/wordpress-wp-less-compiler-plugin-1-3-0-cross-site-scripting-xss-vulnerability) confirms the vulnerability but patch version availability requires verification from plugin developer or WordPress.org repository. If no patch is available, implement compensating controls: restrict plugin configuration access to only super-administrators via WordPress role management, implement Content Security Policy headers with 'script-src self' directive to block inline script execution (trade-off: may break legitimate WordPress admin functionality requiring inline scripts), or remove the plugin entirely and migrate to alternative LESS compilation solutions such as WP-SCSS or server-side build tools like Webpack. Audit existing plugin settings and stored content for injected script payloads matching common XSS patterns (script tags, event handlers, javascript: protocols).
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today